VMware Warns Customers to Patch Actively Exploited Zero-Day Vulnerabilities
Summary:
VMware has released a critical security advisory addressing three zero-day vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) that are being actively exploited in the wild. These vulnerabilities affect VMware ESXi, Workstation, and Fusion products, with severity levels ranging from high to critical. The most severe, CVE-2025-22224, is a heap-overflow issue allowing local administrative users on a virtual machine to execute code on the host. CVE-2025-22225 enables arbitrary kernel writes, and CVE-2025-22226 allows information disclosure through out-of-bounds reads. Microsoft Threat Intelligence Center reported these flaws, and VMware strongly urges customers to apply the provided updates immediately, as no workarounds are available. The advisory comes amidst a landscape of increased exploitation of software vulnerabilities by various threat actors, including state-sponsored groups and ransomware operators, who frequently target VMware environments.
Security Officer Comments:
The emergence of actively exploited zero-day vulnerabilities in VMware products is a significant security issue, particularly given the prevalence of VMware in enterprise organizations’ environments. The critical CVSS score of CVE-2025-22224, coupled with the potential for local privilege escalation to remote code execution, signals its need for immediate attention. The fact that threat actors are already leveraging these flaws underscores the importance of prompt patching and robust vulnerability management. The lack of detailed attribution regarding the threat actors isn’t abnormal, as shared infrastructure between nation-state groups and other factors can make attributing activity with certainty difficult to achieve. Therefore, it suggests a broad spectrum of potential adversaries, from sophisticated state-sponsored groups to financially motivated ransomware operators. The continued trend of targeting virtualization platforms like VMware highlights their strategic importance as a gateway to critical infrastructure. The mention of recent campaigns by Chinese state-sponsored actors and ransomware groups like Helldown and Play serves as a stark reminder of the escalating threat landscape. The need for organizations to adopt a proactive security posture, including timely patching and enhanced network monitoring, has never been more paramount. The fact that these were reported by Microsoft threat intelligence also dsiplays the level of collaboration occurring between security vendors to protect customers.
Suggested Corrections:
Customers are urged to apply updates for these vulnerabilities here.
https://www.infosecurity-magazine.com/news/vmware-patch-exploited-zero-day/
VMware has released a critical security advisory addressing three zero-day vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) that are being actively exploited in the wild. These vulnerabilities affect VMware ESXi, Workstation, and Fusion products, with severity levels ranging from high to critical. The most severe, CVE-2025-22224, is a heap-overflow issue allowing local administrative users on a virtual machine to execute code on the host. CVE-2025-22225 enables arbitrary kernel writes, and CVE-2025-22226 allows information disclosure through out-of-bounds reads. Microsoft Threat Intelligence Center reported these flaws, and VMware strongly urges customers to apply the provided updates immediately, as no workarounds are available. The advisory comes amidst a landscape of increased exploitation of software vulnerabilities by various threat actors, including state-sponsored groups and ransomware operators, who frequently target VMware environments.
Security Officer Comments:
The emergence of actively exploited zero-day vulnerabilities in VMware products is a significant security issue, particularly given the prevalence of VMware in enterprise organizations’ environments. The critical CVSS score of CVE-2025-22224, coupled with the potential for local privilege escalation to remote code execution, signals its need for immediate attention. The fact that threat actors are already leveraging these flaws underscores the importance of prompt patching and robust vulnerability management. The lack of detailed attribution regarding the threat actors isn’t abnormal, as shared infrastructure between nation-state groups and other factors can make attributing activity with certainty difficult to achieve. Therefore, it suggests a broad spectrum of potential adversaries, from sophisticated state-sponsored groups to financially motivated ransomware operators. The continued trend of targeting virtualization platforms like VMware highlights their strategic importance as a gateway to critical infrastructure. The mention of recent campaigns by Chinese state-sponsored actors and ransomware groups like Helldown and Play serves as a stark reminder of the escalating threat landscape. The need for organizations to adopt a proactive security posture, including timely patching and enhanced network monitoring, has never been more paramount. The fact that these were reported by Microsoft threat intelligence also dsiplays the level of collaboration occurring between security vendors to protect customers.
Suggested Corrections:
Customers are urged to apply updates for these vulnerabilities here.
- Immediate Patching: Apply the official VMware updates for ESXi, Workstation, and Fusion as soon as possible.
- Restrict Local Admin Privileges: Limit local administrative privileges within virtual machines to reduce the potential for exploitation.
- Review Access Control Lists (ACLs): Ensure strict ACLs are in place to limit access to sensitive virtual machines and host systems.
- Vulnerability Scanning: Perform regular vulnerability scans to identify and address any remaining vulnerabilities.
https://www.infosecurity-magazine.com/news/vmware-patch-exploited-zero-day/