8 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
VMCI Heap-Overflow Vulnerability in VMware ESXi and Workstation
CVSS Score: 9.3 (Critical)
Identifier: CVE-2025-22224
Exploit or POC: Yes, active exploitation has been observed in the wild.
Update: CVE-2025-22224 – VMware Security Advisory
Description: CVE-2025-22224 is a critical Time-of-Check Time-of-Use (TOCTOU) vulnerability that leads to an out-of-bounds write in VMware ESXi and Workstation. This flaw allows a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host, potentially leading to a full system compromise. Active exploitation of this vulnerability has been reported in the wild.
Mitigation Recommendation: Patching is currently the only method of mitigation. VMware has released updates to address this vulnerability. Administrators are advised to apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' in the VMware Security Advisory. Immediate patching is recommended to prevent potential exploitation.
Note: Given the critical nature of this vulnerability and reports of active exploitation, it is imperative to apply the recommended patches promptly to secure your systems.
Arbitrary Write Vulnerability in VMware ESXi
CVSS Score: 8.2 (High)
Identifier: CVE-2025-22225
Exploit or POC: Yes, active exploitation has been observed in the wild.
Update: CVE-2025-22225 – VMware Security Advisory
Description: CVE-2025-22225 is a high-severity arbitrary write vulnerability affecting VMware ESXi. This flaw allows a malicious actor with privileges within the VMX process to trigger an arbitrary kernel write, leading to a sandbox escape. Successful exploitation could enable the attacker to execute arbitrary code on the host system, compromising its integrity and security. Active exploitation of this vulnerability has been reported in the wild.
Mitigation Recommendation: Patching is currently the only method of mitigation. VMware has released updates to address this vulnerability. Administrators are advised to apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' in the VMware Security Advisory. Immediate patching is recommended to prevent potential exploitation.
Note: Given the active exploitation of this vulnerability, it is imperative to apply the recommended patches promptly to secure your systems.
HGFS Information Disclosure Vulnerability in VMware ESXi, Workstation, and Fusion
CVSS Score: 7.1 (High)
Identifier: CVE-2025-22226
Exploit or POC: Yes, active exploitation has been observed in the wild.
Update: CVE-2025-22226 – VMware Security Advisory
Description: CVE-2025-22226 is an information disclosure vulnerability in VMware ESXi, Workstation, and Fusion, caused by an out-of-bounds read in the HGFS (Host Guest File System) component. This flaw allows a malicious actor with administrative privileges on a virtual machine to leak memory from the VMX process running on the host. Successful exploitation could lead to the exposure of sensitive information, potentially aiding further attacks.
Mitigation Recommendation: Patching is currently the only method of mitigation. VMware has released updates to address this vulnerability. Administrators are advised to apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' in the VMware Security Advisory. Immediate patching is recommended to prevent potential exploitation.
Note: Given the active exploitation of this vulnerability, it is imperative to apply the recommended patches promptly to secure your systems.
