Hey everyone,

I wanted to bring to your attention some critical news from Broadcom regarding VMware vulnerabilities. I saw this in an article that just hit in TechCrunch by Carly Page on March 5, 2025, at 6:53 AM PST. Broadcom, a major player in the tech industry, is sounding the alarm about three VMware vulnerabilities that are currently being exploited by malicious hackers. These vulnerabilities are putting the networks of corporate customers at serious risk.

The three vulnerabilities, collectively known as “ESXicape” by a security researcher, affect VMware ESXi, Workstation, and Fusion. These are popular software hypervisor products that allow multiple virtual machines to be managed on a single server, helping to save physical server space.

Broadcom, which acquired VMware in 2023, has identified these vulnerabilities as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. These flaws could enable an attacker with administrator or root privileges on a virtual machine to break out of its protected environment and gain unauthorized access to the underlying hypervisor product.

Once an attacker gains access to the hypervisor, they can potentially access any other virtual machine, including those owned by other companies within the same physical data center. Broadcom has indicated that there is evidence suggesting these vulnerabilities have been exploited in the wild.

Stephen Fewer, a principal security researcher at Rapid7, emphasized the severity of the situation, stating, “The impact here is huge, an attacker who has compromised a hypervisor can go on to compromise any of the other virtual machines that share the same hypervisor.”

Unfortunately, Broadcom has not provided specific details about the nature of the attacks, or the threat actors involved. They also did not disclose whether any customer data had been accessed. Microsoft, which discovered and reported the vulnerabilities to Broadcom, has also remained silent on the matter.

Security researcher Kevin Beaumont mentioned on Mastodon that these vulnerabilities are being actively exploited by an unnamed ransomware group. VMware vulnerabilities are often targeted by ransomware groups because they can be used to compromise multiple servers in a single attack, and sensitive corporate data is frequently stored in these virtualized environments.

In 2024, Microsoft discovered that multiple ransomware groups were exploiting a VMware hypervisor flaw in attacks deploying Black Basta and LockBit ransomware. The previous year, a large-scale hacking campaign known as “ESXiArgs” saw ransomware groups exploiting a two-year-old VMware vulnerability to target thousands of organizations worldwide.

Broadcom has released patches for these three vulnerabilities, which are classified as “zero-day” bugs because they were exploited before a fix was available. Broadcom is urging customers to apply these patches immediately, describing the security advisory as an “emergency” change.

Additionally, the U.S. government cybersecurity agency CISA is warning federal agencies to patch against these bugs, adding them to its catalog of vulnerabilities known to be under attack.

Stay safe and make sure to update your systems as soon as possible!

Tony DiDonato

CEO, TMGC