VMware Zero-Day Bugs: Urgent Patching Advised by Broadcom

Broadcom Alerts Customers to Active Exploitation of VMware Vulnerabilities

Technology firm Broadcom has issued a warning regarding the active exploitation of three VMware vulnerabilities by malicious actors. These exploits are currently targeting the networks of the company’s business clients.

Details of the ESXicape Vulnerabilities

The vulnerabilities, known collectively as “ESXicape” by security professionals, impact VMware ESXi, Workstation, and Fusion. These are widely deployed software hypervisors that facilitate the management of numerous virtual machines on a single server. Utilizing hypervisors effectively minimizes the physical server space required.

Broadcom, having completed its acquisition of VMware in 2023, confirmed that these vulnerabilities – identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 – could permit an attacker possessing administrator or root-level access within a virtual machine to bypass its security sandbox.

Successful exploitation grants the attacker unauthorized, expanded access to the underlying hypervisor product.

Potential Impact of Hypervisor Compromise

Gaining control of the hypervisor allows an attacker to access any other virtual machine operating on the same system. This includes virtual systems belonging to separate companies sharing the same physical data center infrastructure.

Broadcom states it possesses evidence indicating that these vulnerabilities are currently being exploited in real-world attacks.

According to Stephen Fewer, principal security researcher at Rapid7, “The potential consequences are substantial; a compromised hypervisor can lead to the compromise of all other virtual machines sharing that hypervisor.”

Limited Disclosure and Ongoing Investigations

Broadcom has not released specific details concerning the nature of the attacks or the identity of the threat actors involved. Furthermore, the company has not disclosed whether any customer data has been compromised.

A Broadcom spokesperson did not respond to inquiries from TechCrunch. Similarly, Microsoft, which initially discovered and reported the vulnerabilities to Broadcom, also did not provide a response.

Ransomware Group Activity

Security researcher Kevin Beaumont reported on Mastodon that an unidentified ransomware group is actively exploiting these three vulnerabilities.

VMware vulnerabilities are frequently targeted by ransomware groups because of their potential to compromise multiple servers in a single attack. Virtualized environments often store sensitive corporate data, making them attractive targets.

Past VMware Exploitation

In 2024, Microsoft identified multiple ransomware groups exploiting a VMware hypervisor flaw to deploy Black Basta and LockBit ransomware, engaging in data theft campaigns. Previously, in 2023, the “ESXiArgs” campaign saw ransomware groups exploit a two-year-old VMware vulnerability, impacting thousands of organizations globally.

Remediation and Urgent Patching

Broadcom has released security patches addressing these vulnerabilities, classified as “zero-day” bugs due to their exploitation prior to the availability of a fix. The company has designated its security advisory as an “emergency” update and strongly advises customers to apply the patches immediately.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued a warning to federal agencies, urging them to patch against these vulnerabilities. CISA has added these vulnerabilities to its catalog of actively exploited flaws.