VMware (Multiple Products) - Information Disclosure via Unauthorised Read of Process Memory (CVE-2025-22226)

Description

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS.

A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

This vulnerability has been reported by CISA (America's Cyber Defense Agency) under its 'KEV' (known exploited vulnerabilities') catalogue process to be known to be currently actively exploited in the wild as of 2025-03-04. At the same time as this announcement, both VMware and CISA also reported on two other related vulnerabilities which are also known to be under active exploitation (CVE-2025-22224 and CVE-2025-22225). Whilst the identities of both attackers and targets remains unclear, the Shadowserver Foundation has reported that there are approximately 37,000 internet-exposed VMware ESXi instances. Microsoft's Threat Intelligence Center have also reported this vulnerability has been exploited as a' 0-day' for an 'undisclosed' period of time.

Affected Product versions:

  • VMware ESXi version 8 prior to update ESXi80U3d-24585383

  • VMware ESXi version 8 prior to update ESXi80U2d-24585300

  • VMware ESXi version 7.0  prior to update ESXi70U3s-24585291

  • VMware Workstation version 17.x prior to update 17.6.3

  • VMware Cloud Foundation version 5.x prior to async patch ESXi80U3d-24585383

  • VMware Cloud Foundation version 4.5.x prior to async patch ESXi70U3s-24585291

  • VMware Fusion version 13.x prior to update 13.6.3

Remediation

Customers are advised to upgrade to the latest version of VMware ESXi, VMware Workstation and VMware Cloud Foundation.

Fixed versions can be downloaded via the following links:

Due to ongoing active exploitation of this vulnerability, prioritisation should be given to the urgent remediation of vulnerable systems.

Risk

Impact
High
Probability
High
CVSS v4 Score
CVSS v3 Score
7.1 / 10
CVSS v2 Score
4.1 / 10
EPSS
1.2 %

Versions

Information

Category
CWE
  • CWE-200
  • CWE-125
Known Exploitation Activity

OWASP

OWASP 2013
A6 - Sensitive Data Exposure
OWASP 2017
A3 - Sensitive Data Exposure
OWASP 2021
Unknown