VMware Zero-Day Bugs: Patch Now to Prevent Sandbox Escapes
Three newly discovered zero-day vulnerabilities in VMware's ESXi, Workstation, and Fusion technologies are actively being exploited, giving attackers the ability to break out of virtual machines (VMs) and gain access to the underlying host. Broadcom, VMware’s parent company, has urgently advised organisations to apply patches immediately, as there are no available workarounds.
What’s at Stake?
These vulnerabilities—CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226—allow attackers who have already gained administrative access to a VM to escalate their attack, potentially compromising entire virtualised environments. Although an attacker needs initial access to exploit these flaws, the impact is severe:
-
CVE-2025-22224 (CVSS 9.3) – Allows arbitrary code execution at the hypervisor level, effectively breaking the VM’s containment.
-
CVE-2025-22225 (CVSS 8.2) – An arbitrary write vulnerability enabling attackers to execute code within the host system's kernel memory, leading to full host compromise.
-
CVE-2025-22226 (CVSS 7.1)– An information disclosure flaw that could expose sensitive data from affected VMware systems.
Attackers can exploit these vulnerabilities individually or chain them together for a more devastating impact. Given that VMware environments are widely used for enterprise IT infrastructure, these flaws present a significant risk, especially for organisations handling sensitive data.
CISA Adds VMware Bugs to Its High-Risk List
The urgency of this issue is underscored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. Federal agencies have been ordered to patch affected systems by March 25, or take them offline until fixes are applied.
No Workarounds – Patching Is Critical
Unlike some vulnerabilities that can be mitigated through configuration changes or temporary fixes, these VMware flaws have no available workarounds. The only way to eliminate the risk is to apply Broadcom’s security patches immediately.
According to Broadcom, organisations running VMware ESX, vSphere, Cloud Foundation, or Telco Cloud Platform versions prior to the patched releases are vulnerable.
Why These Vulnerabilities Matter
VMware’s virtualisation technologies are foundational to modern IT environments, making them attractive targets for cybercriminals. Exploiting these flaws allows attackers to:
-
Bypass security barriers and move laterally across virtualised infrastructures
-
Exfiltrate sensitive data, including encryption keys and customer information
-
Deploy additional malware or establish persistent access
-
Disrupt critical services, including cloud-hosted applications and enterprise systems
Over the past year, ransomware gangs have aggressively targeted VMware vulnerabilities. In 2023, multiple ransomware groups exploited an authentication bypass flaw in VMware ESXi to drop Akira, Black Basta, and other ransomware strains onto virtual machines. The ESXiArgs campaign, which encrypted VMware hypervisors across thousands of global servers, is another example of how attackers capitalise on these types of flaws.
Act Now to Secure Your Virtual Environment
These latest vulnerabilities serve as a reminder of why strong access controls and patch management are critical. Experts recommend enforcing least-privilege access, enabling multi-factor authentication (MFA), and monitoring for suspicious VM activity.
If left unpatched, these flaws could allow attackers to compromise entire virtual environments, leaving organisations exposed to data theft, ransomware, and long-term infiltration.
Security teams should act immediately by applying Broadcom’s patches and assessing their VMware infrastructure for potential compromise. Given the active exploitation of these flaws, waiting is not an option.
For more details, refer to VMware’s official security advisory and ensure your organisation stays ahead of emerging cyber threats.