VMware Releases Critical Security Updates for ESXi, Workstation, and Fusion (VMSA-2025-0004)

VMware has released critical and important security patches for VMware ESXi, VMware Workstation, and VMware Fusion to remediate multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226). These issues carry Critical and Important severity ratings with CVSSv3 base scores ranging from 7.1 to 9.3.

Below is a summary of the vulnerabilities, along with links to the fixed versions and recommended actions for administrators.

---

1. Affected Products

1. VMware ESXi
2. VMware Workstation Pro / Player (Workstation)
3. VMware Fusion
4. VMware Cloud Foundation
5. VMware Telco Cloud Platform
6. VMware Telco Cloud Infrastructure

---

2. Overview of Vulnerabilities

a) VMCI Heap-Overflow Vulnerability (CVE-2025-22224)

• Severity: Critical (CVSSv3 up to 9.3)
• Description: A TOCTOU (Time-of-Check Time-of-Use) flaw in VMware ESXi and Workstation leading to an out-of-bounds write.
• Impact: An attacker with local administrative privileges on a guest OS can execute code as the VMX process on the underlying host.
• Resolution: Install the patched versions detailed in the Response Matrix.

b) VMware ESXi Arbitrary Write (CVE-2025-22225)

• Severity: Important (CVSSv3 up to 8.2)
• Description: A privilege escalation issue in VMware ESXi that allows a user within the VMX process to perform arbitrary writes, potentially escaping the sandbox.
• Impact: Unauthorized access or compromise of the host system from a guest environment.
• Resolution: Install the patched versions detailed in the Response Matrix.

c) HGFS Information-Disclosure Vulnerability (CVE-2025-22226)

• Severity: Important (CVSSv3 up to 7.1)
• Description: An out-of-bounds read in the Host-Guest File System (HGFS) could leak information from the VMX process.
• Impact: Attackers with administrative privileges in a guest OS can read sensitive memory from the host.
• Resolution: Install the patched versions detailed in the Response Matrix.

---

3. Known Attack Vectors

• CVE-2025-22224: Requires local administrative privileges on a virtual machine to trigger a heap-overflow in the host VMX process.
• CVE-2025-22225: Involves malicious code running within the VMX process to perform sandbox escape.
• CVE-2025-22226: Requires administrative privileges in a guest OS to read memory from the host VMX process.

VMware has indicated that evidence suggests these vulnerabilities are being exploited in the wild. Immediate patching is highly recommended.

4. Response Matrix (Fixed Versions & Links)

VMware Product	Version	CVE	CVSSv3	Severity	Fixed Version	Downloads & Documentation
VMware ESXi	8.0	CVE-2025-22224, CVE-2025-22225, CVE-2025-22226	9.3, 8.2, 7.1	Critical	ESXi80U3d-24585383 / ESXi80U2d-24585300	ESXi80U3d-24585383 ESXi80U2d-24585300 Release Notes (U3d) Release Notes (U2d)
VMware ESXi	7.0	CVE-2025-22224, CVE-2025-22225, CVE-2025-22226	9.3, 8.2, 7.1	Critical	ESXi70U3s-24585291	ESXi70U3s-24585291 Release Notes
VMware Workstation	17.x	CVE-2025-22224, CVE-2025-22226	9.3, 7.1	Critical	17.6.3	Windows Linux Release Notes
VMware Fusion	13.x	CVE-2025-22226	7.1	Important	13.6.3	Fusion 13.6.3 Release Notes
VMware Cloud Foundation	5.x, 4.5.x	CVE-2025-22224, CVE-2025-22225, CVE-2025-22226	9.3, 8.2, 7.1	Critical	Async patch to ESXi80U3d-24585383 Async patch to ESXi70U3s-24585291	Async Patching Guide: KB88287
VMware Telco Cloud Platform	5.x, 4.x, 3.x, 2.x	CVE-2025-22224, CVE-2025-22225, CVE-2025-22226	9.3, 8.2, 7.1	Critical	KB389385	Telco Cloud Platform Docs
VMware Telco Cloud Infrastructure	3.x, 2.x	CVE-2025-22224, CVE-2025-22225, CVE-2025-22226	9.3, 8.2, 7.1	Critical	KB389385	Telco Cloud Infrastructure Docs

---

5. Workarounds

No official workarounds are available. VMware recommends immediate patching to eliminate the risk posed by these vulnerabilities.

---

6. Exploitation in the Wild

VMware by Broadcom indicates that exploitation of CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 has already been observed in the wild. As a result, these patches should be treated with high urgency.

---

7. Additional Documentation

• VMSA-2025-0004 FAQ: brcm.tech/vmsa-2025-0004
• Async Patching Guide (Cloud Foundation): KB88287

---

8. Recommendations

1. Patch Immediately: Given the high severity and evidence of in-the-wild exploitation, prioritize patch deployment for the affected products.
2. Verify Patch Levels: Confirm installation of the versions referenced in the table above.
3. Monitor for Indicators of Compromise: Watch for abnormal processes or logs related to VMX processes.
4. Limit Access to Virtual Machines: Restrict who can gain administrative privileges on guest operating systems.
5. Follow VMware Guidance: Regularly check VMware advisories and knowledge base articles for updates or additional instructions.

---

9. References and CVE Links

• VMware Security Advisory: VMSA-2025-0004
• Mitre CVE Dictionary:
  • CVE-2025-22224
  • CVE-2025-22225
  • CVE-2025-22226
• CVSSv3 Calculators:
  • CVE-2025-22224
  • CVE-2025-22225
  • CVE-2025-22226

🔥Subscribe to the channel: youtube.be/@AngryAdmin 🔥

🚨Dive into my blog: angrysysops.com

🚨Snapshots 101: a.co/d/fJVHo5v

🌐Connect with us:

• 👊Facebook: facebook.com/AngrySysOps
• 👊X: twitter.com/AngrySysOps
• 👊My Podcast: creators.spotify.com/pod/show/angrysysops
• 👊Mastodon: techhub.social/@AngryAdmin

💻Website: angrysysops.com

🔥vExpert info: vExpert Portal