Broadcom has addressed multiple high-severity vulnerabilities in VMware ESXi, Workstation, and Fusion products, as detailed in NCSC advisory NCSC-2025-0073. These vulnerabilities could allow attackers with local administrative privileges to execute arbitrary code, escape sandbox environments, and leak sensitive memory information. One vulnerability (CVE-2025-22226) has reportedly seen active exploitation in the wild according to DeepBlue Security & Intelligence.
Key Points:
- Three distinct vulnerability types patched: TOCTOU race condition, arbitrary kernel writes, and memory leak
- Attack vectors require local administrative privileges or VMX process access
- One CVE (CVE-2025-22226) confirmed as actively exploited
- Medium probability but high potential impact rating from NCSC
- Affects VMware ESXi, Workstation, and Fusion products
Technical Analysis
Vulnerability Breakdown
The patched vulnerabilities present multiple attack vectors for privileged attackers:
1. TOCTOU Race Condition (CVE-2025-22224)
- Allows local administrators to execute code as the VMX process via out-of-bounds write
- Exploits time-of-check to time-of-use race condition in host operations
- Requires precise timing for successful exploitation
2. Arbitrary Kernel Write (CVE-2025-22225)
- Enables VMX process to perform kernel-level writes
- Could facilitate sandbox escape scenarios
- Requires existing VMX process privileges
3. HGFS Memory Leak (CVE-2025-22226)
- Out-of-bounds read in Host-Guest File System (HGFS)
- Leaks VMX process memory contents
- Actively exploited according to Broadcom
Impact Assessment
The combination of these vulnerabilities could enable a multi-stage attack:
# Theoretical attack chain (not actual exploit code)
1. Gain local admin access (phishing, credential theft)
2. Exploit TOCTOU to execute code as VMX process
3. Use arbitrary write to escalate to kernel
4. Leverage memory leaks to find sensitive dataAffected Products
According to the NCSC advisory, the following VMware products are affected:
| Product Family | Specific Products |
|---|---|
| Virtualization Platform | VMware ESXi |
| Desktop Virtualization | VMware Workstation Pro/Player |
| VMware Fusion Pro/Fusion |
Detection and Mitigation
Indicators of Compromise
Organizations should monitor for:
- Unusual VMX process activity
- Unexpected kernel module loads
- HGFS operations accessing unusual memory ranges
- Multiple failed privilege escalation attempts
Remediation Steps
Immediate Actions:
- Apply all VMware security updates immediately
- Restrict local administrative access
- Monitor for anomalous VMX process behavior
Long-term Measures:
- Implement strict privilege separation
- Enable memory protection features
- Audit VM configuration files
Relevance to Security Teams
For Defensive Teams
- Update SIEM rules to detect HGFS memory access patterns
- Review VM logging configurations
- Implement application allowlisting for VMX processes
For Offensive Researchers
- Study the TOCTOU pattern for future research
- Analyze VMX process isolation mechanisms
- Document sandbox escape techniques
Conclusion
The NCSC-2025-0073 advisory highlights critical vulnerabilities in core VMware products that could enable privilege escalation and sandbox escape. While exploitation requires initial access, the confirmed active exploitation of CVE-2025-22226 makes prompt patching essential. Security teams should prioritize updating affected systems and monitoring for related attack patterns.
As virtualization platforms remain high-value targets, these vulnerabilities underscore the importance of strict access controls and continuous monitoring of hypervisor-level activities.
