Rescana Security Advisory Report on Broadcom Security Advisory

Executive Summary

This advisory report delves into the recently disclosed vulnerabilities outlined in Broadcom Security Advisory 25390, impacting VMware ESXi, Workstation, and Fusion. The vulnerabilities identified are CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. These vulnerabilities are of critical and important nature, with confirmed exploitation in the wild, necessitating immediate attention from affected entities. The vulnerabilities were discovered by the Microsoft Threat Intelligence Center and have been addressed by VMware through recent patch releases. The adversaries behind these exploits have primarily been targeting sectors and countries with significant virtualization infrastructure, highlighting the necessity for prompt mitigation strategies.

Technical Information

The first vulnerability, CVE-2025-22224, is a VMCI Heap-Overflow Vulnerability with a CVSSv3 score of 9.3, classified as critical. It manifests as a Time-of-Check to Time-of-Use (TOCTOU) flaw in the VMware ESXi and Workstation environments. This vulnerability facilitates an out-of-bounds write operation, which can be leveraged by a threat actor possessing local administrative privileges to execute arbitrary code as the VMX process on the host system. The inherent risk here is the potential for severe system compromise and data breaches.

The second vulnerability, CVE-2025-22225, pertains to an Arbitrary Write Vulnerability within VMware ESXi, carrying a CVSSv3 score of 8.2, deemed important. This flaw allows a threat actor to perform arbitrary kernel writing, which may lead to a sandbox escape, escalating the attacker's privileges and enabling them to execute unauthorized operations within the system. This vulnerability can be exploited by attackers with privileges within the VMX process, posing a significant security risk.

The third vulnerability, CVE-2025-22226, involves an HGFS Information-Disclosure Vulnerability with a CVSSv3 score of 7.1. It results from an out-of-bounds read in HGFS, affecting VMware ESXi, Workstation, and Fusion. This vulnerability permits a malicious actor to leak sensitive memory data from the VMX process, potentially exposing critical system and user information to unauthorized entities.

The products impacted by these vulnerabilities include VMware ESXi, VMware Workstation Pro/Player, VMware Fusion, VMware Cloud Foundation, and VMware Telco Cloud Platform. To mitigate these vulnerabilities, affected users should promptly apply the patches provided in the response matrix.

Exploitation in the Wild

The vulnerabilities have been exploited in the wild, with evidence suggesting that attackers are actively leveraging these flaws to gain unauthorized access and escalate privileges within virtualized environments. Indicators of Compromise (IOCs) include unusual administrative access requests, irregular VMX process activities, and unexpected data leaks or system anomalies.

APT Groups using this vulnerability

Advanced Persistent Threat (APT) groups known for targeting virtualization technologies have been leveraging these vulnerabilities to infiltrate high-value targets. These groups focus on sectors such as telecommunications, finance, and critical infrastructure, primarily in regions with advanced cloud and virtualization deployments.

Affected Product Versions

The affected versions requiring immediate patching are as follows: VMware ESXi 8.0 with updates to ESXi80U3d-24585383 or ESXi80U2d-24585300, VMware ESXi 7.0 with updates to ESXi70U3s-24585291, VMware Workstation 17.x requiring updates to version 17.6.3, VMware Fusion 13.x needing updates to version 13.6.3, and VMware Cloud Foundation and VMware Telco Cloud Platform require following specific patch instructions as per KB389385.

Workaround and Mitigation

Immediate application of the VMware patches is essential to mitigate these vulnerabilities. Additionally, organizations should conduct thorough security audits to identify any unauthorized access or data anomalies. Implementing robust access controls, especially for administrative privileges, and monitoring for unusual system behaviors can further fortify defenses against potential exploits.

References

For further technical details and patch instructions, please refer to the following resources: Broadcom Support Portal Advisory 25390, VMware Security Advisories, Mitre CVE Dictionary: CVE-2025-22224, Mitre CVE Dictionary: CVE-2025-22225, Mitre CVE Dictionary: CVE-2025-22226.

Rescana is here for you

Rescana is committed to providing robust cybersecurity solutions through our Third Party Risk Management (TPRM) platform. We help our customers identify and mitigate risks associated with their third-party partnerships, ensuring a comprehensive approach to cybersecurity. For any questions or further assistance regarding this report or other cybersecurity concerns, please reach out to us at ops@rescana.com.