Three critical vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) are actively exploited, posing a significant threat to VMware virtualization environments. Review the details in this Cybersecurity Threat Advisory to learn how to mitigate your risks.
What is the threat?
These vulnerabilities present serious risks to virtualized environments, as cybercriminals can exploit critical flaws to gain unauthorized access and carry out malicious activities. Below are the details of these vulnerabilities and their potential impact on system security:
- CVE-2025-22224: This Time-of-Check Time-of-Use (TOCTOU) vulnerability enables an out-of-bounds write, allowing a local attacker with administrative privileges to execute arbitrary code on the host.
- CVE-2025-22225: This flaw enables arbitrary writes within the VMX process, potentially allowing an attacker to escape the virtual machine and compromise the host system.
- CVE-2025-22226: An out-of-bounds read vulnerability in the Host-Guest File System (HGFS) that can lead to data disclosure, enabling an attacker with admin privileges to extract sensitive information.
Why is it noteworthy?
If left unaddressed, these vulnerabilities could lead to increased disruptions in virtual services, threatening the stability and security of critical business communications and operations that rely on VMware’s virtualization software. Additionally, evidence shows that threat actors are actively exploiting these vulnerabilities in the wild, highlighting the urgent need for organizations to apply the necessary updates promptly.
What is the exposure or risk?
The risks associated with these vulnerabilities is significant for virtualization environments. If not mitigated, these vulnerabilities could lead to severe consequences, including unauthorized code execution, potential data breaches through data exfiltration, and lateral movement out of the virtual machine’s sandbox. Attackers can gain access to the hypervisor, further compromising the security of the entire virtualized environment.
What are the recommendations?
Barracuda recommends the following actions to mitigate risks from these vulernabilities:
- Apply security updates to the following products:
- VMware ESXi 8.0: Update to ESXi80U3d-24585383 or ESXi80U2d-24585300.
- VMware ESXi 7.0: Update to ESXi70U3s-24585291.
- VMware Workstation 17.x: Update to version 17.6.3.
- VMware Fusion 13.x: Update to version 13.6.3.
- VMware Cloud Foundation 5.x: Apply async patch to ESXi80U3d-24585383.
- VMware Cloud Foundation 4.x: Apply async patch to ESXi70U3s-24585291.
- VMware Telco Cloud Platform (5.x, 4.x, 3.x, 2.x): Update to ESXi 7.0U3s, ESXi 8.0U2d, or ESXi 8.0U3d.
- VMware Telco Cloud Infrastructure (3.x, 2.x): Update to ESXi 7.0U3s.
- Conduct regular security assessments of your VMware environments to identify and remediate potential vulnerabilities or misconfigurations.
- Restrict administrative privileges to only those users who absolutely need them. Regularly review and update access controls and credentials to minimize the risk of exploitation.
- Maintain regular backups of critical virtual machines and isolate backup systems from the main network to protect against ransomware and other attacks.
- Create and regularly update an incident response plan that includes specific procedures for addressing vulnerabilities in virtualization environments.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/broadcom-fixes-three-vmware-zero-days-exploited-in-attacks/
- https://thehackernews.com/2025/03/vmware-security-flaws-exploited-in.html
- https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
