Multiple Vulnerabilities Impacting VMware ESXi, Workstation, and Fusion Updates

Published on 07-Mar-2025
Updated:
08-Apr-2025
Status:
 
Active
CVEs:
CVE-2025-22224
CVE-2025-22225
CVE-2025-22226

Fortra is actively researching multiple vulnerabilities impacting VMware ESXi, Workstation, and Fusion Updates: CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226.

VMware ESXi, Workstation, and Fusion contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

Who is affected?

The following products are affected by these vulnerabilities.

CVE-2025-22224, CVE-2025-22225, CVE-2025-22226

  • VMware ESXi Versions 7.0 and 8.0
  • VMware Cloud Foundation version 4.5.x, 5.x
  • VMware Telco Cloud Platform version 5.x, 4.x, 3.x, 2.x
  • VMware Telco Cloud Infrastructure 3.x, 2.x

CVE-2025-22224, CVE-2025-22226

  • VMware Workstation Pro / Player (Workstation) version 17.x

CVE-2025-22226

  • VMware Fusion version 13.x

What can I do?

Customers should install updates as soon as possible. The vendor recommends the following updates:

CVE-2025-22224, CVE-2025-22225, CVE-2025-22226

  • VMware ESXi VMware ESXi 8.0 Update 2d or VMware ESXi 8.0 Update 3d or VMware ESXi 7.0 Update 3s

  • VMware Cloud Foundation VMware Async patch for ESXi 8.0 Update 3d or VMware ESXi 7.0 Update 3s

  • VMware Telco Cloud Platform ESXi 8.0 Update 2d or VMware ESXi 8.0 Update 3d or VMware ESXi 7.0 Update 3s

  • VMware Telco Cloud Infrastructure VMware ESXi 7.0 Update 3s

CVE-2025-22224,  CVE-2025-22226

  • VMware Workstation Pro / Player (Workstation) version 17.6.3

CVE-2025-22226

  • VMware Fusion version 13.6.3 recommended

For more information about these vulnerabilities, planned patches, and vendor recommendations, refer to the Security Bulletin and Vendor page.

How is Fortra helping me?

Fortra is actively researching this threat to build detection capabilities in addition to those listed below:

  • FusionVM: Alert Logic released unauthenticated network scan detection for ESXi on March 6th, 2025.
  • Tripwire IP360: Tripwire released scan coverage on March 12, 2025, to identify vulnerable instances for IP360. The following table identifies matching vulnerabilities.
CVETripwire IP360 Vulnerabilities
CVE-2025-22224706615, 706618, or 706620
CVE-2025-22225706616
CVE-2025-22226706613, 706617, 706619, or 706621

Updates

Fortra has kicked off the Emerging Threats process for this vulnerability. We will update this article with new information about this vulnerability and related security coverage as it becomes available.

3/6/2025: Alert Logic released unauthenticated network scan detection for ESXi.

3/12/2025: Tripwire released scan coverage to identify vulnerable instances for IP360.

Recent Emerging Threats
:
CrushFTP Authentication Bypass
:
Multiple Vulnerabilities Impacting ingress-nginx Controller for Kubernetes
:
Multiple Vulnerabilities Impacting rsync
:
FortiOS & FortiProxy: Authentication Bypass in Node.js Websocket Module
:
Ivanti Unauthenticated Remote Code Execution
Security Alerts in Your Inbox. We will watch for emerging threats; you can watch for our email.