Broadcom has released security updates to address three actively exploited vulnerabilities in VMware ESXi, Workstation, and Fusion products that can lead to arbitrary code execution, data manipulation, and information disclosure.

The first vulnerability (CVE-2025-22224) is related to a Time-of-Check Time-of-Use (TOCTOU) error.

The second vulnerability (CVE-2025-22225) is associated with arbitrary code execution and can be used to escape of the sandbox of a virtual machine.

The third vulnerability (CVE-2025-22226) allows a malicious actor with administrative privileges on a virtual machine to read data from the VMX process memory, which leads to information leakage.

The vulnerabilities affect the following software versions: VMware ESXi 8.0 and 7.0, VMware Workstation 17.x, VMware Fusion 13.x, as well as the VMware Cloud Foundation и VMware Telco Cloud platforms.

Broadcom has already released patches addressing the vulnerabilities and strongly recommends that users install them.

Source: broadcom.com