Three zero-day flaws in VMware ESXi, Workstation, and Fusion exploited in the wild

Three zero-day flaws in VMware ESXi, Workstation, and Fusion exploited in the wild

US-based virtualization and cloud computing software provider VMware has released security updates to address three security vulnerabilities in its ESXi, Workstation, and Fusion products that are being exploited in the wild.

One of the bugs (CVE-2025-22224) is a heap-based buffer overflow issue that allows a malicious guest to execute arbitrary code on the hypervisor. The vulnerability exists due to a boundary error in VMCI. A malicious guest with administrative privileges can trigger a heap-based buffer overflow and execute arbitrary code on the hypervisor in the context of VMX process.

The second vulnerability, tracked as CVE-2025-22225, is a privilege escalation that exists due to improperly imposed security restrictions. A malicious guest with access to the VMX process can write arbitrary data to kernel and bypass sandbox restrictions.

The third flaw (CVE-2025-22226) is described as an out-of-bands issue that could allow an attacker to read contents of memory on the system.

The flaws impact VMware ESXi VMware Workstation Pro / Player (Workstation), VMware Fusion, VMware Cloud Foundation, VMware Telco Cloud Platform. Users are advised to update their systems as soon as possible.

In related news, Google has rolled out its monthly Android Security Bulletin for March 2025 to fix over 40 vulnerabilities, including two that have been previously observed being exploited in a zero-day exploit chain developed by Israeli digital intelligence company Cellebrite targeting a Serbian youth activist.

Last but not least, the US Cybersecurity and Infrastructure Security Agency (CISA) has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation:

  • CVE-2023-20118 - A command injection flaw in Cisco Small Business RV Series routers, granting root-level access to authenticated attackers (unpatched due to end-of-life status).

  • CVE-2022-43939 - An authorization bypass in Hitachi Vantara Pentaho BA Server, fixed in versions 9.3.0.2 and 9.4.0.1 (released August 2024).

  • CVE-2022-43769 - A special element injection vulnerability in the same server, allowing arbitrary command execution, fixed in versions 9.3.0.2 and 9.4.0.1 (released August 2024).

  • CVE-2018-8639 - A privilege escalation flaw in Microsoft Windows Win32k, fixed in December 2018.

  • CVE-2024-4885 - A path traversal vulnerability in Progress WhatsUp Gold, allowing remote code execution (fixed in version 2023.1.3, releasing June 2024).


Back to the list

Latest Posts

Cyber Security Week in Review: May 9, 2025

Cyber Security Week in Review: May 9, 2025

In brief: SAP zero-day exploited by Chinese hackers, SonicWall patches bugs in its SMA appliances, and more.
9 May 2025
Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

LOSTKEYS is designed to steal sensitive files, harvest system information, and exfiltrate details about running processes.
8 May 2025
Russia-aligned operation manipulates audio and images to impersonate experts

Russia-aligned operation manipulates audio and images to impersonate experts

The operation primarily focused on undermining NATO support for Ukraine and spreading false narratives to disrupt domestic politics in EU member states.
7 May 2025
Popular Posts
Featured vulnerabilities
Privilege escalation in RSA Authentication Agent for Microsoft Windows
Low Patched | 12 May, 2025
RSA Authentication Manager update for third-party components
High Patched | 12 May, 2025
Multiple vulnerabilities in IBM Maximo Application Suite Ai-Service
Low Patched | 12 May, 2025
Buffer overflow in PyTorch
Low Patched | 12 May, 2025
Buffer overflow in PyTorch
Low Patched | 12 May, 2025