Broadcom has liberated Safety updates to solve three active security deficiencies in VMware ESXI, workstation and merger that can lead to code and disclosure.
The list of vulnerabilities is the following –
- Cve-2025-2224 (CVSS assessment: 9.3) -In time of vulnerability of use time (TOCTOU), which leads to record outside the malicious actor with local administrative privileges on the virtual machine can use to perform the code as the VMX-Virgin machine operating on the hoste
- Cve-2025-2225 (CVSS’s assessment: 8.2) – An arbitrary vulnerability of the recording that a malicious actor with privileges during the VMX can use to lead to shoots
- Cve-2025-2226 (CVSS assessment: 7.1) —The difference in information disclosure due to read in HGF-by-up restriction
Disadvantages affect the below version –
- VMware ESXI 8.0-Spent in ESXI80U3D-24585383, ESXI80U2D-24585300
- Vmware ESXI 7.0 – Fixed in ESXI70U3S -245291
- VMware Workstation 17.x – Fixed at 17.6.3
- Vmware fusion 13.x – fixed at 13.6.3
- Vmware Cloud Foundation 5.x – Async Patch to ESXI80U3D -245853
- VMware Cloud Foundation 4.X – Async patch to ESXI70U3S -245291
- VMware Telco Cloud Platform 5.x, 4.x, 3.x, 2.x – recorded in ESXI 7.0U3s, ESXI 8.0U2D and ESXI 8.0U3D
- VMware Telco Cloud Infrastructure 3.x, 2.x – fixed in ESXI 7.0U3s
In a separate FAQ, Broadcom recognized What he has “information that suggests that in the wild there was an exploitation of these issues,” but it did not specify the nature of the attacks and the identity of the threat subjects that armed them.
Virtualization Services provider attributed Microsoft Intelligence Center for Error detecting and reports. In light of active operation, it is very important that users use the latest patches to optimal protection.
