VMware (Multiple Products) - Information Disclosure via Unauthorised Read of Process Memory (CVE-2025-22226)

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS.

A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

This vulnerability has been reported by CISA (America's Cyber Defense Agency) under its 'KEV' (known exploited vulnerabilities') catalogue process to be known to be currently actively exploited in the wild as of 2025-03-04. At the same time as this announcement, both VMware and CISA also reported on two other related vulnerabilities which are also known to be under active exploitation (CVE-2025-22224 and CVE-2025-22225). Whilst the identities of both attackers and targets remains unclear, the Shadowserver Foundation has reported that there are approximately 37,000 internet-exposed VMware ESXi instances. Microsoft's Threat Intelligence Center have also reported this vulnerability has been exploited as a' 0-day' for an 'undisclosed' period of time.

Affected Product versions:

• VMware ESXi version 8 prior to update ESXi80U3d-24585383

• VMware ESXi version 8 prior to update ESXi80U2d-24585300

• VMware ESXi version 7.0  prior to update ESXi70U3s-24585291

• VMware Workstation version 17.x prior to update 17.6.3

• VMware Cloud Foundation version 5.x prior to async patch ESXi80U3d-24585383

• VMware Cloud Foundation version 4.5.x prior to async patch ESXi70U3s-24585291

• VMware Fusion version 13.x prior to update 13.6.3

Customers are advised to upgrade to the latest version of VMware ESXi, VMware Workstation and VMware Cloud Foundation.

Fixed versions can be downloaded via the following links:

• VMware ESXi 8.0 Update ESXi80U3d-24585383

• VMware ESXi 8.0 Update ESXi80U2d-24585300

• VMware ESXi 7.0 Update ESXi70U3s-24585291

• VMware Workstation 17.6.3 (Windows)

• VMware Workstation 17.6.3 (Linux)

• VMware Workstation Pro 17.6.3

• VMware Cloud Foundation 5.x async patch ESXi80U3d-24585383

• VMware Cloud Foundation 4.5 async patch ESXi70U3s-24585291

• VMware Fusion 13.6.3

Due to ongoing active exploitation of this vulnerability, prioritisation should be given to the urgent remediation of vulnerable systems.

• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

• https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004

• https://socradar.io/vmware-security-zero-day-cve-2025-22224-cve-2025-22225-and-cve-2025-22226/

• https://www.bleepingcomputer.com/news/security/over-37-000-vmware-esxi-servers-vulnerable-to-ongoing-attacks/