Broadcom issued a warning today regarding three newly discovered VMware Zero Day vulnerabilities: CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. These vulnerabilities identified by the Microsoft Threat Intelligence Center affect multiple VMware products, including ESXI, VSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform.
According to Broadcom, attackers with administrative or root privileges can exploit these flaws to escape the sandbox of virtual machines. “Attackers who have already compromised the guest operating system and gained privileged access could escalate an attack on the hypervisor itself,” the company explained. Broadcom also confirmed evidence of wild exploitation.
Read more: Microsoft Announces Dragon Copilot to revolutionize clinical workflows with Healthcare’s AI voice assistant
Among the reported vulnerabilities, CVE-2025-22224 is classified as a critical VCMI heap overflow flaw, allowing local attackers with administrative access to execute code when a VMX process runs on a host. CVE-2025-22225 is an ESXi arbitrary write vulnerability that allows VMX processes to perform malformed kernel writes, potentially leading to sandbox escapes. Meanwhile, CVE-2025-22226 is a flaw in HGFS disclosure that allows an attacker with administrator permission to leak memory from a VMX process.
VMware products are a frequent target for ransomware groups and country-sponsored hackers due to their widespread use in enterprise environments to store and transfer sensitive corporate data.
This is not the first instance of an active VMware exploit. In November, Broadcom warned of attackers exploiting vulnerabilities in two VMware VCenter Server patched in September.
Additionally, in January 2024, Broadcom revealed that Chinese state-sponsored hackers had exploited critical VCenter server vulnerabilities (CVE-2023-34048) as zero-days since at least the second half of 2021.
