Three Critical VMware Zero-Day Vulnerabilities Chained by Threat Actors
In 2025, three critical zero-day vulnerabilities were found in VMware ESXi, Workstation, and Fusion. It was identified that these three vulnerabilities could be chained together by attackers to achieve a full hypervisor take over through a running virtual machine. Recent reporting has attributed the malicious activity to Chinese-speaking threat actors that have been exploiting these vulnerabilities for more than a year prior to their public disclosure.
All three of the following vulnerabilities were added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalogue on 04 March 2025 due to the exploitation identified in the wild.
CVE-2025-22224
VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX (Virtual Machine Executable) process running on the host.
This vulnerability has been given a CVSS (Common Vulnerability Scoring System) base score of 8.2 by NIST (National Institute of Standards and Technology), indicating a high severity. Whilst VMware have given a base score of 9.3 which is critical severity.
CVE-2025-22225
VMware ESXi contains an arbitrary write vulnerability. A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.
This vulnerability has been given a CVSS base score of 8.2 by both NIST and VMware, indicating a high severity.
CVE-2025-22226
VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability caused by an out-of-bounds read in the HGFS (Host Guest File System). A malicious actor with administrative access to a virtual machine could potentially exploit this vulnerability to leak memory from the VMX process.
This vulnerability has been given a CVSS base score of 6 by NIST indicating a medium severity, whilst VMware have attributed a base score of 7.1 which is high severity.
Affected products
The following products are vulnerable to CVE-2025-2224, CVE-2025-22225, and CVE-2025-2226:
- Broadcom VMware ESXi 7.0 and 8.0
- Broadcom VMware Cloud Foundation 4.5.x and 5.x
- Broadcom VMware Telco Cloud Platform 5.x, 4.x, 3.x, and 2.x
- Broadcom VMware Telco Cloud Infrastructure 3.x and 2.x
The following products are vulnerable to CVE-2025-22224 and CVE-2025-22226:
- Broadcom VMware Workstation 17.x
The following product is vulnerable to CVE-2025-22226:
- Broadcom VMware Fusion 13.x
How have these CVEs been exploited?
Chinese-speaking threat actors exploited a compromised SonicWall VPN appliance to deliver a VMware ESXi exploit kit that appears to have been developed more than a year before the targeted vulnerabilities were publicly disclosed.
Analysis of the attack observed from December 2025, in which the attackers used a sophisticated VM (virtual machine) escape, showed likely exploitation of three VMware vulnerabilities revealed as zero-days in March 2025. Broadcom warned at the time that attackers with administrator privileges could chain these flaws to escape a VM and access the underlying hypervisor.
CVE chaining
Research indicates that the vulnerabilities may have been chained into an exploit as early as February 2024. Researchers identified a PDB path (the file system location of a Program Database (.pdb) file) containing a folder named “2024_02_19,” indicating development as a potential zero-day exploit. The folder name, translating to “All versions of escape-delivery” implies ESXi 8.0 Update 3 was the intended target.
It has been assessed that the threat actors likely gained initial access through a compromised SonicWall VPN. Using a compromised Domain Admin account, the attacker pivoted via RDP to domain controllers, staged data for exfiltration, and executed an exploit chain to escape a guest VM and compromise the ESXi hypervisor.
The exploit toolkit included MAESTRO (exploit.exe), which coordinated the VM escape; MyDriver.sys, an unsigned kernel driver that executed the escape and deployed a hypervisor backdoor; VSOCKpuppet, an ELF backdoor on the ESXi host enabling command execution and file transfer over VSOCK; and a GetShell Plugin (client.exe), a Windows VSOCK client used to interact with the backdoor from a guest VM.
Additional evidence of early development came from a PDB path in client.exe referencing a “2023_11_02” folder, suggesting it was part of a broader vmci_vm_escape toolkit with a getshell component.
It has been hypothesised that the threat actor follows a modular approach, separating post-exploitation tools from exploits to reuse infrastructure while swapping vulnerabilities. It has also been reasonably concluded that the toolkit leverages the three vulnerabilities disclosed by Broadcom, based on behaviour such as HGFS information leaks, VMCI memory corruption, and kernel shellcode escape.
The build paths contain simplified Chinese, alongside an English-language README, which suggests the toolkit may have been developed in a Chinese-speaking region and possibly intended for sharing or sale.
Consequences of CVE chaining
All three zero-days are post-compromise vulnerabilities and require an attacker to already have administrative level access on an affected system to exploit them.
However, attackers with administrative access can break out of guest OS sandboxes and seize hypervisor control.
In a worst-case scenario, this breach permits reconfiguration of the hypervisor, lateral movement across systems, exfiltration of sensitive data, disruption of services, and the deployment of additional malware, effectively compromising the entire virtualised ecosystem.
Example compromise scenarios
- VMware-based VDI workstations: An employee makes a mistake by opening a malicious attachment on their virtual workstation. Rather than impacting only one workstation, the incident escalates into a large-scale compromise.
- VMware-based hybrid and private clouds: If any server is successfully compromised through a publicly accessible application vulnerability, an attacker can quickly spread the attack throughout the entire network.
- Leasing virtual servers and workstations (prebuilt VMs) from an MSP: A client error that causes an infection on a rented host will lead to the compromise of all MSP clients that share resources within the same cluster.
Analyst Assessment
These vulnerabilities represent a high-risk guest-to-host escape chain targeting the core of VMware virtualisation infrastructure. Their value lies not in individual exploitation, but in their ability to be combined to move from guest administrator access to full ESXi host control. Given the strategic importance of virtualisation platforms, these flaws should be treated as Tier-0 risks, with patching and hardening prioritised accordingly.
For UK organisations, particularly in government, critical infrastructure, and regulated sectors, this activity reinforces the need to minimise unused hypervisor features, enforce strong separation of duties, and maintain high visibility into both guest and host activity.
Get Norm’s threat bulletin direct to your inbox
Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
Resources:
https://www.bleepingcomputer.com/news/security/vmware-esxi-zero-days-likely-exploited-a-year-before-disclosure/
https://blog.alphahunt.io/vmware-vulnerabilities-apt29-apt41-and-apt28s-exploitation-tactics/
https://cloud.google.com/security/resources/insights/apt-groups
https://www.cyfirma.com/research/apt-profile-fancy-bear-2/
https://www.cvedetails.com/cve/CVE-2025-22224/
https://www.cvedetails.com/cve/CVE-2025-22225/
https://www.cvedetails.com/cve/CVE-2025-22226/
https://www.hedgehogsecurity.co.uk/blog/who-is-apt29
https://www.rapid7.com/blog/post/2025/03/04/etr-multiple-zero-day-vulnerabilities-in-broadcom-vmware-esxi-and-other-products/
