VMware is urgently advising customers to patch newly discovered vulnerabilities in its ESXi, Workstation, and Fusion products, as hackers are actively exploiting these flaws. The Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities catalog, issuing an emergency directive for federal civilian agencies to apply patches by March 25th.
The vulnerabilities, reported by the Microsoft Threat Intelligence Center, impact several VMware products:
- ESXi: VMware’s enterprise-class hypervisor.
- Workstation: A hosted hypervisor for desktop use.
- Fusion: VMware’s virtualization solution for macOS.
- Cloud Foundation
- Telco Cloud Platform
VMware has confirmed that the vulnerabilities are being actively exploited. The most severe of these, CVE-2025-22224, has been assigned a high severity score. This critical vulnerability allows an attacker with administrative privileges within a virtual machine (VM) to execute code on the host operating system. This could lead to a complete compromise of the host system and potentially all VMs running on that server.
According to VMware, patching these vulnerabilities qualifies as an “emergency change,” emphasizing the critical need for prompt action.
CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
- CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability
- CVE-2025-22225 VMware ESXi Arbitrary Write Vulnerability
- CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
- CVE-2025-22226 VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability
Key Takeaways:
- Active Exploitation: Hackers are actively exploiting these vulnerabilities.
- Critical Vulnerability (CVE-2025-22224): Allows code execution on the host system from a compromised VM.
- CISA Directive: Federal agencies must patch by March 25th.
- Emergency Patching Required: VMware considers patching an “emergency change.”
Recommendations:
VMware strongly recommends that all users of the affected products apply the available patches immediately. Given the active exploitation and the potential for severe compromise, organizations should prioritize this patching effort to mitigate the risk of cyberattacks.
