U.S. expertise big Broadcom is warning {that a} trio of VMware vulnerabilities are being actively exploited by malicious hackers to compromise the networks of its company prospects.
The three vulnerabilities — collectively dubbed “ESXicape” by one security researcher — have an effect on VMware ESXi, Workstation, and Fusion, that are widely-used software program hypervisor merchandise that permit a number of digital machines to be managed on a single server. Hypervisors are generally used to scale back the necessity to take up bodily server area.
Broadcom, which acquired VMware in 2023, stated that the vulnerabilities (tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) may permit an attacker with administrator or root privileges on a digital machine to flee its protected sandbox and acquire broader unauthorized entry to the underlying hypervisor product.
With entry to the hypervisor, an attacker can acquire entry to some other digital machine, together with digital methods owned by different firms inside the identical bodily information middle.
Broadcom says it has “info to counsel” that the vulnerabilities have been exploited within the wild.
“The affect right here is large, an attacker who has compromised a hypervisor can go on to compromise any of the opposite digital machines that share the identical hypervisor,” Stephen Fewer, principal safety researcher at risk intelligence firm Rapid7, advised TechCrunch.
Broadcom didn’t share any particulars in regards to the nature of the assaults or the risk actors behind them and didn’t say whether or not any buyer information had been accessed. A spokesperson for Broadcom didn’t reply to TechCrunch’s questions. Microsoft, which found and reported the vulnerabilities to Broadcom, additionally didn’t reply by press time.
Safety researcher Kevin Beaumont stated in a post on Mastodon that the three vulnerabilities are actively being exploited by an as-yet-unnamed ransomware group.
VMware vulnerabilities are steadily focused by ransomware teams because of their skill to be exploited to compromise a number of servers throughout a single assault, and provided that delicate company information is usually saved in these virtualized environments.
Microsoft discovered in 2024 that a number of ransomware teams have been exploiting a VMware hypervisor flaw in assaults deploying Black Basta and LockBit ransomware in data-stealing campaigns concentrating on company information. The earlier yr, a large-scale hacking marketing campaign, dubbed “ESXIArgs,” noticed ransomware teams exploit a two-year-old VMware vulnerability to focus on 1000’s of organizations worldwide.
Broadcom has launched patches for the three vulnerabilities, that are classed as “zero-day” bugs because of the truth they have been exploited earlier than a repair was made accessible. Broadcom described its safety advisory as an “emergency” change and is urging prospects to use the patches as quickly as attainable.
U.S. authorities cybersecurity company CISA can be warning federal businesses to patch towards the bugs, which it has added to its working catalog of vulnerabilities recognized to be below assault.