Urgent Alert: Broadcom Calls on VMware Users to Patch Critical Zero-Day Vulnerabilities Under Active Exploitation

In a significant cybersecurity alert, U.S. technology giant Broadcom has raised concerns about a set of VMware vulnerabilities that are being actively exploited by malicious hackers. These vulnerabilities pose a serious threat to the networks of corporate customers and require immediate attention.

Overview of the VMware Vulnerabilities

Three critical vulnerabilities, collectively known as “ESXicape,” affect VMware’s widely-used hypervisor products: ESXi, Workstation, and Fusion. These tools allow for efficient management of multiple virtual machines on a single server, helping companies optimize their physical server space.

Details of the Vulnerabilities

Broadcom, which acquired VMware in 2023, has identified the vulnerabilities as:

• CVE-2025-22224
• CVE-2025-22225
• CVE-2025-22226

These vulnerabilities could enable an attacker with administrator or root privileges on a virtual machine to escape its secure environment and access the underlying hypervisor. This breach could lead to unauthorized access to other virtual machines located within the same physical data center.

Active Exploitation and Threat Landscape

Broadcom has indicated that it has “information to suggest” that these vulnerabilities are being actively exploited. Stephen Fewer, a principal security researcher at Rapid7, emphasized the severe implications: “An attacker who has compromised a hypervisor can go on to compromise any of the other virtual machines that share the same hypervisor.”

Despite inquiries, Broadcom did not disclose specifics about the attacks or the identity of the threat actors involved. Similarly, Microsoft, which initially discovered the vulnerabilities, has yet to respond to requests for comment.

Ransomware Threats Targeting VMware

Security expert Kevin Beaumont noted on Mastodon that these vulnerabilities are currently being exploited by an unidentified ransomware group. Ransomware attacks targeting VMware vulnerabilities are particularly concerning due to their potential to compromise multiple servers in a single operation, often containing sensitive corporate data.

In fact, in 2024, Microsoft reported that various ransomware groups were leveraging a VMware hypervisor flaw in attacks deploying Black Basta and LockBit ransomware, specifically targeting corporate data. The previous year saw the large-scale hacking campaign named “ESXIArgs,” where ransomware groups exploited an older VMware vulnerability to affect thousands of organizations globally.

Recommended Actions and Security Measures

In response to these critical vulnerabilities, Broadcom has issued patches classified as “zero-day” bugs, indicating that they were exploited prior to a fix being available. This security advisory is considered an “emergency” update, and Broadcom urges all customers to apply these patches immediately.

Furthermore, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is advising federal agencies to implement the necessary patches to protect against these vulnerabilities, which have been added to their catalog of actively exploited vulnerabilities.

For more information on cybersecurity best practices, visit our page on cybersecurity tips.