Broadcom releases fixes for multiple VMware security flaws

News
By
published

The company fixes three VMware flaws, including a critical issue

Security
(Image credit: Shutterstock) (Image credit: Shutterstock)
  • Broadcom releases fix for three vulnerabilities being abused in the wild
  • The bugs were described as VM escape flaws
  • The company urged users to apply the fix as soon as possible

Broadcom has released a fix for three vulnerabilities, affecting a number of its VMware products, one of which is deemed critical, and is already being abused in the wild.

In a security advisory published, Broadcom said it released a patch that addresses VM escape vulnerabilities tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. A VM escape is a vulnerability that allows an attacker who has already compromised a virtual machine’s guest OS and gained privileged access to move into the hypervisor itself.

The bugs affect all supported versions of VMware ESX, VMware vSphere, VMware Cloud Foundation, and VMware Telco Cloud Platform. They were assigned severity scores 9.3, 8.2, and 7.1, respectively.

Targeting VMware

“Broadcom has information to suggest that exploitation of these issues has occurred “in the wild,” the company said in the advisory.

Since VMware solutions are often found in both enterprise and SMB environments, they are a popular target among cybercriminals looking to access sensitive company data. To tackle the constant threat, Broadcom continuously scans for vulnerabilities and patches them.

In mid-November 2024, for example, Broadcom warned of two flaws plaguing its VMware vCenter Server product, which were being exploited in the wild. Just as today, the company then urged users to apply the patch immediately, and warned there were no workarounds. The vulnerabilities could be used to cause quite the damage to compromised networks.

Earlier still, in March 2024, VMware patched a whole host of security vulnerabilities affecting a number of its key business products. The vulnerabilities affected ESXi, Workstation, and Fusion products, and are tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255. The first two are described as use-after-free flaws in the XHCI USB controller, affecting all three products. For Workstation and Fusion, they carry a severity score of 9.3, while for ESXi, it’s 8.4.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
Representational image depecting cybersecurity protection
Ivanti reveals major security update, so make sure you're protected
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
vpn
Ivanti warns another critical security flaw is being attacked
Digital image of a lock.
Ivanti warns it has found another major security flaw in its systems
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Cisco patches critical security issues, so update now
Latest in Security
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
Major ransomware attack sees Tata Technologies hit - 1.4TB dataset with over 730,000 files allegedly stolen
Security
Broadcom releases fixes for multiple VMware security flaws
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Latest in News
The maps feature of the Strava app open on an iPhone 15 Pro
Strava does a u-turn as users are allowed to post external links again
CorelDraw Go homepage showing design examples
Adobe arch-rival unveils online graphic design tool for beginners - and yes, it has a subscription
Android Auto
Android Auto is about to get a big Gemini upgrade – and there's good news and bad news
Tony Hawk's Pro Skater 3+4 promo image featuring the Doom Slayer glaring at Tony
Tony Hawk's Pro Skater 3+4 is real and the Digital Deluxe Edition literally turns it into a Doom game
Ada Lovelace as a leader in Civilization 7.
Sid Meier's Civilization 7 update 1.1.0 finally stops AI leaders from flooding your territory with armies of explorers
OnePlus Watch 3
Good news for OnePlus fans as it confirms the OnePlus Watch 3 will get three years of updates, not two
More about security
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."

Major ransomware attack sees Tata Technologies hit - 1.4TB dataset with over 730,000 files allegedly stolen
A graphic showing fleet tracking locations over a city.

Lost & Found tracking site hit by major data breach - over 800,000 could be affected
Microsoft

Microsoft hits back against UK competition lawsuits, slams AWS and Google once again
See more latest
Most Popular
Microsoft
Microsoft hits back against UK competition lawsuits, slams AWS and Google once again
Android Auto
Android Auto is about to get a big Gemini upgrade – and there's good news and bad news
The maps feature of the Strava app open on an iPhone 15 Pro
Strava does a u-turn as users are allowed to post external links again
Ada Lovelace as a leader in Civilization 7.
Sid Meier's Civilization 7 update 1.1.0 finally stops AI leaders from flooding your territory with armies of explorers
Image of Radeon RX 9000 series GPUs
AMD RX 9070 could struggle to compete with Nvidia 50-series GPUs according to latest tech demo
Tony Hawk's Pro Skater 3+4 promo image featuring the Doom Slayer glaring at Tony
Tony Hawk's Pro Skater 3+4 is real and the Digital Deluxe Edition literally turns it into a Doom game
CorelDraw Go homepage showing design examples
Adobe arch-rival unveils online graphic design tool for beginners - and yes, it has a subscription
OnePlus Watch 3
Good news for OnePlus fans as it confirms the OnePlus Watch 3 will get three years of updates, not two
Google Pixel Watch 3
Google rolls out major Pixel Watch upgrade for all users – here's what's new in Wear OS 5.1
Pac-Man x PowerA promotional image.
Special edition Pac-Man Nintendo Switch and Xbox accessories from PowerA are on the way