Broadcom Issues Urgent Warning on VMware Zero-Day Exploits
Broadcom is urging VMware customers to apply emergency security patches after discovering that three critical vulnerabilities are being actively exploited by malicious hackers. These vulnerabilities, collectively referred to as "ESXicape" by a security researcher, impact VMware ESXi, Workstation, and Fusion—widely used hypervisor products that manage multiple virtual machines on a single server.
What Are the Vulnerabilities?
The vulnerabilities, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, allow attackers with administrator or root access on a virtual machine to escape its protected environment and gain unauthorized access to the underlying hypervisor. Once compromised, a hacker could infiltrate other virtual machines, potentially impacting multiple organizations hosted in the same data center.
Broadcom, which acquired VMware in 2023, has acknowledged the risks, stating that it has evidence suggesting these vulnerabilities are already being exploited in the wild.
"The impact here is huge. An attacker who has compromised a hypervisor can go on to compromise any other virtual machines sharing the same hypervisor," said Stephen Fewer, principal security researcher at Rapid7, in an interview with TechCrunch.
Who Is Behind the Attacks?
Broadcom has not disclosed details about the nature of the attacks or the threat actors responsible. Microsoft, which initially discovered and reported these vulnerabilities, has also remained silent. However, security researcher Kevin Beaumont posted on Mastodon that an unnamed ransomware group is actively exploiting the vulnerabilities.
VMware: A Frequent Ransomware Target
VMware hypervisors have long been a prime target for ransomware groups due to their role in managing multiple virtual servers. By compromising a single hypervisor, attackers can gain access to sensitive corporate data across multiple virtual machines.
Past incidents highlight the growing trend of VMware-focused ransomware attacks:
In 2024, multiple ransomware groups exploited a VMware hypervisor flaw to deploy Black Basta and LockBit ransomware, stealing corporate data.
The ESXIArgs campaign in 2023 leveraged a two-year-old VMware vulnerability to attack thousands of organizations worldwide.
Urgent Action Required
Broadcom has released patches to address these zero-day vulnerabilities and strongly advises customers to apply them immediately. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added these vulnerabilities to its Known Exploited Vulnerabilities Catalog, urging federal agencies to patch their systems.
Given the high-risk nature of these vulnerabilities, organizations using VMware products should prioritize patching to prevent potential breaches.
Actionable Steps:
- Apply Broadcom’s emergency patches as soon as possible.
- Monitor hypervisor logs for any suspicious activity.
- Restrict administrative access to hypervisors.
- Implement network segmentation to limit lateral movement in case of a breach.
Failure to address these vulnerabilities could leave organizations vulnerable to widespread cyberattacks, particularly from ransomware groups targeting VMware infrastructure.
Image credit: Broadcom. The image used in this article is the property of Broadcom
