dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

VMware Security Flaws Exploited in the Wild—Broadcom Releases Urgent Patches

Avatar
info@thehackernews.com (The Hacker News)
March 4, 2025
Broadcom has released security updates to address three actively exploited security flaws in VMware ESXi, Workstation, and Fusion products that could lead to code execution and information disclosure. The list of vulnerabilities is as follows – CVE-2025-22224 (CVSS score: 9.3) – A Time-of-Check Time-of-Use (TOCTOU) vulnerability that leads to an out-of-bounds write, which a malicious actor with
Total
0
Shares
0
0
0
[[{“value”:”

Broadcom has released security updates to address three actively exploited security flaws in VMware ESXi, Workstation, and Fusion products that could lead to code execution and information disclosure.

The list of vulnerabilities is as follows –

CVE-2025-22224 (CVSS score: 9.3) – A Time-of-Check Time-of-Use (TOCTOU) vulnerability that leads to an out-of-bounds write, which a malicious actor with local administrative privileges on a virtual machine could exploit to execute code as the virtual machine’s VMX process running on the host
CVE-2025-22225 (CVSS score: 8.2) – An arbitrary write vulnerability that a malicious actor with privileges within the VMX process could exploit to result in a sandbox escape
CVE-2025-22226 (CVSS score: 7.1) – An information disclosure vulnerability due to an out-of-bounds read in HGFS that a malicious actor with administrative privileges to a virtual machine could exploit to leak memory from the vmx process

The shortcomings impact the below versions –

VMware ESXi 8.0 – Fixed in ESXi80U3d-24585383, ESXi80U2d-24585300
VMware ESXi 7.0 – Fixed in ESXi70U3s-24585291
VMware Workstation 17.x – Fixed in 17.6.3
VMware Fusion 13.x – Fixed in 13.6.3
VMware Cloud Foundation 5.x – Async patch to ESXi80U3d-24585383
VMware Cloud Foundation 4.x – Async patch to ESXi70U3s-24585291
VMware Telco Cloud Platform 5.x, 4.x, 3.x, 2.x – Fixed in ESXi 7.0U3s, ESXi 8.0U2d, and ESXi 8.0U3d
VMware Telco Cloud Infrastructure 3.x, 2.x – Fixed in ESXi 7.0U3s

In a separate FAQ, Broadcom acknowledged that it has “information to suggest that exploitation of these issues has occurred ‘in the wild,’ but it did not elaborate on the nature of the attacks or the identity of the threat actors that have weaponized them.

The virtualization services provider credited the Microsoft Threat Intelligence Center for discovering and reporting the bugs. In light of active exploitation, it’s essential that users apply the latest patches for optimal protection.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

How New AI Agents Will Transform Credential Stuffing Attacks

March 4, 2025
Next Post

Dark Caracal group might have refreshed its malware, researchers say

March 4, 2025
Related Posts
2 min

Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks

A Mirai botnet variant has been found exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the goal of conducting distributed denial-of-service (DDoS) attacks. The botnet maintains approximately 15,000 daily active IP addresses, with the infections primarily scattered across China, Iran, Russia, Turkey, and the United States.
Avatar
info@thehackernews.com (The Hacker News)
January 8, 2025
Read More
2 min

Elastic Releases Urgent Fix for Critical Kibana Vulnerability Enabling Remote Code Execution

Elastic has rolled out security updates to address a critical security flaw impacting the Kibana data visualization dashboard software for Elasticsearch that could result in arbitrary code execution. The vulnerability, tracked as CVE-2025-25012, carries a CVSS score of 9.9 out of a maximum of 10.0. It has been described as a case of prototype pollution. "Prototype pollution in Kibana leads to
Avatar
info@thehackernews.com (The Hacker News)
March 6, 2025
Read More