Broadcom on March 4 released an advisory that addressed three flaws — one of them critical — that, if exploited, would let threat actors access the VMware hypervisor through a running virtual machine.
The flaws were considered serious because Broadcom reported that they were already exploited in the wild.
Security teams are affected if they are running any version of VMware ESX, VMware vSphere, VMware Cloud Foundation, or VMware Telco Cloud Platform prior to the versions listed as “fixed” in the VMware Security Advisory.
The three flaws, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have CVSS scores of 9.3, 8.2, and 7.1, respectively. Broadcom recommended that security teams immediately patch all the bugs listed in Tuesday's advisory.
Jason Soroko, senior fellow at Sectigo, said the three VMware’s zero-day flaws pose a major risk. Attackers with administrative access can break out of guest OS sandboxes and seize hypervisor control.
Soroko added that the critical CVE-2025-22224 enables a heap overflow to execute code as the host’s VMX process, while CVE-2025-22225 and CVE-2025-22226, both high-severity, offer similar escalation paths. He said recent exploits targeting vCenter Server (CVE-2024-38813 and CVE-2024-38812) and past state-sponsored attacks (CVE-2023-34048) reveal a consistent pattern of deep system penetration via VMware flaws.
“The likely attackers are sophisticated adversaries, often state-sponsored or APT groups, with the resources to breach initial defenses,” said Soroko. “Their end goals include establishing deep, persistent access to virtualized infrastructures, bypassing security boundaries, moving laterally, exfiltrating sensitive data, deploying additional malware, and disrupting services.”
