U.S. know-how large Broadcom is warning {that a} trio of VMware vulnerabilities are being actively exploited by malicious hackers to compromise the networks of its company clients.
The three vulnerabilities — collectively dubbed “ESXicape” by one security researcher — have an effect on VMware ESXi, Workstation, and Fusion, that are widely-used software program hypervisor merchandise that enable a number of digital machines to be managed on a single server. Hypervisors are generally used to scale back the necessity to take up bodily server house.
Broadcom, which acquired VMware in 2023, stated that the vulnerabilities (tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) may enable an attacker with administrator or root privileges on a digital machine to flee its protected sandbox and achieve broader unauthorized entry to the underlying hypervisor product.
With entry to the hypervisor, an attacker can achieve entry to every other digital machine, together with digital programs owned by different corporations inside the similar bodily knowledge middle.
Broadcom says it has “info to counsel” that the vulnerabilities have been exploited within the wild.
“The affect right here is large, an attacker who has compromised a hypervisor can go on to compromise any of the opposite digital machines that share the identical hypervisor,” Stephen Fewer, principal safety researcher at risk intelligence firm Rapid7, instructed TechCrunch.
Broadcom didn’t share any particulars concerning the nature of the assaults or the risk actors behind them and didn’t say whether or not any buyer knowledge had been accessed. A spokesperson for Broadcom didn’t reply to TechCrunch’s questions. Microsoft, which found and reported the vulnerabilities to Broadcom, additionally didn’t reply by press time.
Safety researcher Kevin Beaumont stated in a post on Mastodon that the three vulnerabilities are actively being exploited by an as-yet-unnamed ransomware group.
VMware vulnerabilities are often focused by ransomware teams as a consequence of their capability to be exploited to compromise a number of servers throughout a single assault, and on condition that delicate company knowledge is commonly saved in these virtualized environments.
Microsoft discovered in 2024 that a number of ransomware teams have been exploiting a VMware hypervisor flaw in assaults deploying Black Basta and LockBit ransomware in data-stealing campaigns focusing on company knowledge. The earlier yr, a large-scale hacking campaign, dubbed “ESXIArgs,” noticed ransomware teams exploit a two-year-old VMware vulnerability to focus on 1000’s of organizations worldwide.
Broadcom has launched patches for the three vulnerabilities, that are classed as “zero-day” bugs because of the reality they have been exploited earlier than a repair was made out there. Broadcom described its safety advisory as an “emergency” change and is urging clients to use the patches as quickly as attainable.
U.S. authorities cybersecurity company CISA can be warning federal companies to patch in opposition to the bugs, which it has added to its operating catalog of vulnerabilities recognized to be below assault.
About The Author
