New VMware RCE & Escape Bugs Discovered – Are You Affected?

> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

In July 2025, VMware issued a high-priority security advisory (VMSA-2025-0013) addressing four critical vulnerabilities affecting VMware ESXi, Workstation, Fusion, and Tools. These flaws—tracked as CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, and CVE-2025-41239—could allow remote code execution (RCE) and virtual machine (VM) escape, posing a major risk to virtualization infrastructure.

What’s Affected?

• VMware ESXi: 8.0.x < ESXi80U2e-24789317, 7.0.x < ESXi70U3w-24784741
• VMware Workstation: 17.0.x < 17.6.4
• VMware Fusion: 13.0.x < 13.6.4

Vulnerability Breakdown

CVE-2025-41236 – VMXNET3 Integer Overflow

• CVSS Score: 9.3 (Critical)
• A flaw in the VMXNET3 virtual network adapter allows attackers with admin access inside the guest VM to exploit an integer overflow, leading to code execution on the host.
• Only affects VMs with the VMXNET3 adapter.

CVE-2025-41237 – VMCI Integer Underflow

• CVSS Score: 9.3 (Critical)
• A vulnerability in the Virtual Machine Communication Interface (VMCI) allows out-of-bounds writes, potentially leading to RCE on the host through the VMX process.
• On ESXi, the attack stays within the VMX sandbox. On Workstation and Fusion, it could break out to the host OS.

CVE-2025-41238 – PVSCSI Heap Overflow

• CVSS Score: 9.3 (Critical)
• Exploitable heap overflow in the PVSCSI controller (paravirtual SCSI), leading to code execution from a guest VM on the host.
• On ESXi, only exploitable under unsupported configurations; on Workstation/Fusion, could lead to host-level RCE.

CVE-2025-41239 – vSockets Info Leak

• Information disclosure caused by use of uninitialized memory in vSockets.
• Could leak sensitive memory data to attackers with guest admin access.

Why It Matters

• VM Escape: Attackers can break out of a sandboxed VM and compromise the host, potentially affecting the entire virtualized environment.
• Data Leak: Sensitive memory information may be exposed.
• Privilege Requirement: All four vulnerabilities require local administrator access inside the VM to exploit.
• No User Interaction Required: Exploits do not need user interaction once access is obtained.

Patch Now

VMware recommends upgrading to the following safe versions immediately:

• VMware ESXi: ESXi80U2e-24789317 or ESXi70U3w-24784741
• VMware Workstation: 17.6.4
• VMware Fusion: 13.6.4

Official Advisory – VMSA-2025-0013

Timeline

• July 2025: VMware published VMSA-2025-0013
• July 17, 2025: Longterm Security Emergency Response Center issued this risk alert

Final Recommendations

• Upgrade vulnerable systems immediately
• Review access control policies
• Restrict unnecessary network access to hypervisors
• Monitor systems for signs of VM escape or suspicious VM behavior

These are serious vulnerabilities that could compromise the core isolation guarantees of your virtual infrastructure. Don’t delay—patch today.

Join the SafeLine Community

• GitHub Repository
• Official Docs
• Discord Community