VMware Patches Three Actively Exploited Bugs

VMware has released fixes for three separate vulnerabilities in its ESXi, Workstation, and Fusion products, all of which have already been exploited in the wild. CISA has added all three vulnerabilities to its Known Exploited Vulnerabilities catalog.

CVEs: CVE-2025-22224, CVE-2025-22225, CVE-2025-22226

Why It Matters: All of the affected VMware products are widely used by enterprises and are frequent targets for attackers. One of the vulnerabilities (CVE-2025-2224) is a critical bug, while the other two are classified as important. All three of the flaws were discovered and reported by researchers from the Microsoft Threat Intelligence Center, which is an interesting detail. The MSTIC tracks highly competent attack teams, such as state-backed actors and APTs, and often detects those groups using zero days or exploiting known vulnerabilities in the wild. Combining these three vulnerabilities can give an attacker the ability to escalate privileges, escape the sandbox, and run arbitrary code.

Key Details

• CVE-2025-2224 is a time-of-check to time-of-use vulnerability that affects VMware ESXi and Workstation. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. 

• CVE-2025-2225 is an arbitrary write vulnerability in ESXi. A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.

• CVE-2025-2226 is an information disclosure bug in ESXi, Workstation, and Fusion. A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

What to Do Now: VMware released patches for all three of the vulnerabilities on March 3 and enterprises should update as soon as possible to avoid exploitation.