- Broadcom releases fix for three vulnerabilities being abused in the wild
- The bugs were described as VM escape flaws
- The company urged users to apply the fix as soon as possible
Broadcom has released a fix for three vulnerabilities, affecting a number of its VMware products, one of which is deemed critical, and is already being abused in the wild.
In a security advisory published, Broadcom said it released a patch that addresses VM escape vulnerabilities tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. A VM escape is a vulnerability that allows an attacker who has already compromised a virtual machine’s guest OS and gained privileged access to move into the hypervisor itself.
The bugs affect all supported versions of VMware ESX, VMware vSphere, VMware Cloud Foundation, and VMware Telco Cloud Platform. They were assigned severity scores 9.3, 8.2, and 7.1, respectively.
Targeting VMware
“Broadcom has information to suggest that exploitation of these issues has occurred “in the wild,” the company said in the advisory.
Since VMware solutions are often found in both enterprise and SMB environments, they are a popular target among cybercriminals looking to access sensitive company data. To tackle the constant threat, Broadcom continuously scans for vulnerabilities and patches them.
In mid-November 2024, for example, Broadcom warned of two flaws plaguing its VMware vCenter Server product, which were being exploited in the wild. Just as today, the company then urged users to apply the patch immediately, and warned there were no workarounds. The vulnerabilities could be used to cause quite the damage to compromised networks.
Earlier still, in March 2024, VMware patched a whole host of security vulnerabilities affecting a number of its key business products. The vulnerabilities affected ESXi, Workstation, and Fusion products, and are tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255. The first two are described as use-after-free flaws in the XHCI USB controller, affecting all three products. For Workstation and Fusion, they carry a severity score of 9.3, while for ESXi, it’s 8.4.
Via BleepingComputer