VMware (Multiple Products) - Information Disclosure via Unauthorised Read of Process Memory (CVE-2025-22226)
Description
VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS.
A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx
process.
This vulnerability has been reported by CISA (America's Cyber Defense Agency) under its 'KEV' (known exploited vulnerabilities') catalogue process to be known to be currently actively exploited in the wild as of 2025-03-04. At the same time as this announcement, both VMware and CISA also reported on two other related vulnerabilities which are also known to be under active exploitation (CVE-2025-22224 and CVE-2025-22225). Whilst the identities of both attackers and targets remains unclear, the Shadowserver Foundation has reported that there are approximately 37,000 internet-exposed VMware ESXi instances. Microsoft's Threat Intelligence Center have also reported this vulnerability has been exploited as a' 0-day' for an 'undisclosed' period of time.
Affected Product versions:
VMware ESXi version 8 prior to update ESXi80U3d-24585383
VMware ESXi version 8 prior to update ESXi80U2d-24585300
VMware ESXi version 7.0 prior to update ESXi70U3s-24585291
VMware Workstation version 17.x prior to update 17.6.3
VMware Cloud Foundation version 5.x prior to async patch ESXi80U3d-24585383
VMware Cloud Foundation version 4.5.x prior to async patch ESXi70U3s-24585291
VMware Fusion version 13.x prior to update 13.6.3
Remediation
Customers are advised to upgrade to the latest version of VMware ESXi, VMware Workstation and VMware Cloud Foundation.
Fixed versions can be downloaded via the following links:
Due to ongoing active exploitation of this vulnerability, prioritisation should be given to the urgent remediation of vulnerable systems.
Risk
Versions
Information
- Category
- —
- CWE
- CWE-200
- CWE-125
- CVE
- Known Exploitation Activity
OWASP
- OWASP 2013
- A6 - Sensitive Data Exposure
- OWASP 2017
- A3 - Sensitive Data Exposure
- OWASP 2021
- Unknown