A critical security updates addressing four vulnerabilities in VMware ESXi, Workstation, Fusion, and Tools that could allow attackers with administrative privileges on virtual machines to execute malicious code on the underlying host systems.
The vulnerabilities, identified as CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, and CVE-2025-41239, carry CVSS scores ranging from 6.2 to 9.3, with three rated as critical severity.
Security researchers discovered these vulnerabilities during Pwn2Own competitions and reported them through the Zero Day Initiative, prompting immediate patches from Broadcom.
The most severe vulnerabilities identified in this security advisory present significant risks to virtualized environments:
- CVE-2025-41236 (VMXNET3 Integer-Overflow): This critical vulnerability affects the VMXNET3 virtual network adapter with a maximum CVSS score of 9.3. Malicious actors with local administrative privileges on virtual machines using VMXNET3 adapters can execute arbitrary code on the host system.
Discovered by security researcher Nguyen Hoang Thach of STARLabs SG, this vulnerability specifically targets the virtual network adapter component, leaving other virtual adapter types unaffected. - CVE-2025-41237 (VMCI Integer-Underflow): Equally concerning with a 9.3 CVSS score, this integer-underflow vulnerability in VMware Virtual Machine Communication Interface (VMCI) leads to out-of-bounds write conditions.
Attackers with local administrative access can execute code as the virtual machine’s VMX process on the host. Corentin Bayet of REverse Tactics identified this vulnerability during Pwn2Own research. - Platform-Specific Impact: While ESXi environments contain exploitation within the VMX sandbox, Workstation and Fusion installations face more severe risks with potential code execution on the underlying machine, highlighting critical differences in security posture across VMware platforms.
VMware ESXi and Workstation Vulnerabilities
The third critical vulnerability, CVE-2025-41238, targets the Paravirtualized SCSI (PVSCSI) controller through a heap-overflow condition resulting in out-of-bounds writes.
With a CVSS score of 9.3, this vulnerability enables similar attack vectors as the VMCI vulnerability, allowing local administrators to execute code as the VMX process.
However, ESXi environments experience limited impact as exploitation requires unsupported configurations and remains contained within the VMX sandbox.
Thomas Bouzerar and Etienne Helluy-Lafont of Synacktiv discovered this vulnerability, also during Pwn2Own competitions.
The exploitation scenarios vary significantly between platforms. ESXi deployments benefit from sandboxing mechanisms that contain potential attacks, while Workstation and Fusion environments face direct host system compromise risks.
These distinctions highlight the importance of platform-specific security considerations when assessing vulnerabilities impact.
Patches Available
The fourth vulnerability, CVE-2025-41239, represents an information disclosure issue in vSockets functionality affecting ESXi, Workstation, Fusion, and VMware Tools.
With a CVSS score of 7.1, this vulnerability stems from uninitialized memory usage, potentially allowing attackers to leak sensitive information from processes communicating through vSockets.
According to Report, Broadcom emphasizes that no workarounds exist for these vulnerabilities, making immediate patching essential for all affected environments.
Independent researchers Corentin Bayet and Gwangun Jung of THEORI separately identified this vulnerability.
The company has released comprehensive patches across its product portfolio, including VMware Cloud Foundation, vSphere Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure.
Organizations should prioritize these updates given the critical nature of the vulnerabilities and the potential for host system compromise through virtual machine escape techniques.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
