Critical Vulnerabilities in VMWare ESXi (CVE-2025-22224, CVE-2025-22225) Under Active Exploitation

Executive Summary

On March 4^th, 2025, Broadcom published an advisory detailing multiple critical vulnerabilities in their VMWare ESXi product. Two of the vulnerabilities (CVE-2025-22224 and CVE-2025-22225) can be used together to allow a successful attacker with local administrator privileges on a hosted virtual machine to execute code as the container VMX process.

ESXI is a hypervisor that is used to deploy and serve virtual computers. A very common use case for this software is to have it host other services that are normally connected to the internet like web servers or file transfer servers. This means that if an attacker gains unauthorized access to an internet connected virtual server hosted on an ESXi machine, they may then leverage these vulnerabilities to elevate privileges on the local ESXi host.

The same day that Broadcom published their advisory, CISA released an alert adding these vulnerabilities to their Known Exploited Vulnerabilities (KEV) list, indicating that these vulnerabilities have been confirmed to be in active use by malicious threat actors. Given this context, Beazley Security strongly recommends affected organizations apply updates from Broadcom to their ESXi machines as soon as possible.

Affected Systems and Products

Broadcom released patches with their public advisory. See details in the following table.

Software	Affected Versions	Fixed Versions
VMWare ESXi	8.0	ESXi80U3d-24585383
VMWare ESXi	8.0	ESXi80U2d-24585300
VMWare ESXi	7.0	ESXi70U3s-24585291
VMWare Workstation	17.x	17.6.3
VMWare Fusion	13.x	13.6.4
VMWare Cloud Foundation	5.x	ESXi80U3d-24585383
VMWare Cloud Foundation	4.5.x	ESXi70U3s-24585291
VMWare Telco Cloud Platform	5.x, 4.x, 2.x	KB389385
VMWare Telco Cloud Infrastructure	3.x, 2.x	KB389385

‍

Mitigations and Workarounds

Broadcom reports that there are no effective mitigations or workarounds. Applying software patches is the only recommended solution.

Patches

Broadcom released product patches with their advisory. You may find more information on their product technical documentation pages here. Refer to the product table in the “Affected Systems and Products” section of this advisory for links to specific patches per product.

Threat Intelligence

CISA released an alert on the same day as Broadcom’s advisory reporting that this vulnerability was observed and confirmed to be actively used by malicious threat actors. No other specifics or details have been provided by CISA or reported by any third parties.

Technical Details

According to the VMware Security Advisory (VMSA) a chain of CVE-2024-22224 and CVE-2025-22225 to escape from a running virtual machine with administrative privileges to an ESXi hypervisor host. CVE-2024-22224 expresses a Time-of-Check Time-of-Use (TOCTOU) vulnerability which leads to an out-of-bounds write. This appears to be the initial mechanism to then leverage an arbitrary write vulnerability CVE-2025-22225 and subsequent read from the Host-Guest File System CVE-2025-22226 to gain access to the host hypervisor.

Currently the patches for the hypervisors are large enough that reversing the patches to leverage these vulnerabilities is likely a risk from well-funded APTs; we do not believe that individuals will be able to repeat this attack at this time until further details on the mechanisms of each vulnerability are published. VMWare has claimed they have reason to believe that CVE-22225 has been used publicly, and CISA has confirmed the use of this attack in the wild as of the date of publishing.

For many users, exposing access to a hypervisor on the edge of a network is inadvisable. Hypervisors are to be treated as infrastructural and access to them should be behind trusted authentication mechanisms. However, this attack leverages a potential exposure of a running virtual machine on the hypervisor to then bypass this requirement. Leveraging this attack would require a public virtual machine to be compromised with administrative/root access, which is harder to provide guarantees on whether an organization is vulnerable to this attack. For this reason, it behooves all organizations to patch and update any VMware ESXi instances regardless.

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations to remediate any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

Sources‍

Download PDF

Aware of an incident impacting your industry? Let us know:

Report an incident

Prepare

Implement

Defend

Respond

Manage Risk

Beazley Insured

Featured Industries

Enabling readiness and resilience from pre-breach to remediation.

Bringing extensive experience to every engagement.

Nice to meet you. Find out more about our company here.

The latest insights and advisories from our team