Critical Vulnerabilities Found in VMware ESXi – Cybercriminals Are Exploiting Them!

A major announcement in the cybersecurity industry – VMware has confirmed the presence of three critical vulnerabilities in its ESXi, Workstation, and Fusion products. According to the official security advisory VMSA-2025-0004, attackers are already actively exploiting these vulnerabilities.

These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, can allow attackers to perform the following dangerous actions:

✅ Execute malicious code
✅ Elevate user privileges
✅ Steal sensitive memory data

The most critical of these, CVE-2025-22224, has received a CVSSv3 score of 9.3, as it allows an attacker to execute hypervisor-level code from a compromised virtual machine. This could completely compromise virtualization security.

Detailed Analysis of Each Vulnerability

1. CVE-2025-22224 – VMCI Heap-Overflow Vulnerability

This vulnerability is located in VMware’s Virtual Machine Communication Interface (VMCI) and can be exploited by an attacker with local administrator privileges to execute code on the host system.

🔹 Cause: A Time-of-Check-to-Time-of-Use (TOCTOU) flaw, leading to out-of-bounds writes due to a delay between checking and using data.
🔹 Discovered by: Microsoft Threat Intelligence Center experts.
🔹 Exploited by: Cybercriminals are already using this vulnerability in real-world attacks.

2. CVE-2025-22225 – ESXi Arbitrary Write Vulnerability

This vulnerability, with a CVSS score of 8.2, allows an attacker with access to the VMX process to break out of a sandboxed environment.

🔹 Risk: Attackers can modify kernel-level critical data and gain privileged access to the system.

3. CVE-2025-22226 – HGFS Information Disclosure Vulnerability

This vulnerability, rated 7.1 on the CVSS scale, is located in VMware’s Host-Guest File System (HGFS). Attackers can exploit it to steal sensitive data from the VMX process memory.

🔹 Key Threat: An attacker with administrative privileges on a virtual machine can expose critical host system data.

Previous VMware Attacks

This is not the first time VMware systems have been targeted by serious cyberattacks:

📌 July 2024 – Akira and Black Basta ransomware groups exploited CVE-2024-37085, compromising over 20,000 ESXi servers by encrypting virtual machines and demanding ransom.

📌 2022 – The VMSA-2022-0004 advisory reported a vulnerability in the USB virtual controller, which was later exploited for VM escape attacks.

The repeated discovery of such vulnerabilities highlights the growing security risks in virtualization infrastructure.

Protection Measures – Update Immediately!

🔹 ESXi 8.x: Apply the latest security patches according to VMSA-2025-0004 recommendations.
🔹 Workstation/Fusion: Update to 17.5.2 or 18.5.1.
🔹 Cloud Foundation/Telco Cloud: Follow VMware’s official guidelines for necessary updates.

🚨 Warning! There are no alternative security measures for these vulnerabilities – delaying updates is not an option!

Additional Security Recommendations

🔹 Isolate ESXi hosts – Place them in a separate network segment disconnected from the internet.
🔹 Restrict administrative privileges – Grant only the minimum necessary permissions.
🔹 Use secure authentication methods – Enable two-factor authentication (2FA).
🔹 Stay informed about new vulnerabilities – Subscribe to VMware’s official blog and security advisories.

Conclusion

🔹 Critical vulnerabilities in VMware ESXi, Workstation, and Fusion pose a significant cybersecurity threat.
🔹 Attackers are actively exploiting these flaws, and attacks are ongoing.
🔹 VMware urges users to apply security updates immediately.
🔹 Delaying updates increases risks and provides opportunities for cybercriminals.

🛡 Cybersecurity is a continuous battle. If updates are postponed, virtual infrastructure remains at risk. Strengthen your defenses today! 🔐