About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.
A newly disclosed set of critical vulnerabilities in VMware ESXi may allow attackers to escape virtual machines and compromise the host system. The flaws—CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226—impact core virtualization components and have already been observed exploited in the wild.
Admins running ESXi 7.x and 8.x, or using related products like vSphere, Workstation, Fusion, or Cloud Foundation, are strongly advised to patch immediately.
Vulnerability Summary
These three vulnerabilities affect how VMware ESXi handles memory and access control in its virtualization layer:
CVE-2025-22224: A time-of-check-to-time-of-use (TOCTOU) race condition in the VMCI (Virtual Machine Communication Interface) allows heap memory corruption and arbitrary memory access.
CVE-2025-22225: Lack of strict memory write validation in certain ESXi modules leads to an out-of-bounds write, potentially allowing attackers to modify sensitive host data.
CVE-2025-22226: Insufficient boundary checks in the host-guest file system (HGFS) interface cause out-of-bounds reads, exposing sensitive memory content.
Impact
While each bug alone poses moderate risk, chained together they enable full VM escape, letting an attacker from inside a guest OS compromise the ESXi host. Potential consequences include:
- Full control of the host: Complete bypass of virtualization boundaries.
- Sensitive data leakage: Memory content disclosure via read/write primitives.
- Business disruption: Tampering with system processes may lead to outages or persistent compromise.
Severity: Critical
Access vector: Remote (pre-auth)
User interaction: None required
Default config: Vulnerable
Exploit maturity: No public PoC yet, but in-the-wild exploitation confirmed
Affected Versions
All unpatched versions of VMware ESXi 7.x and 8.x are affected.
Legacy versions such as ESXi 6.5 and 6.7, which are no longer officially supported, are also vulnerable and pose additional risk due to lack of automatic updates.
Related platforms impacted:
- vSphere
- VMware Workstation / Fusion
- VMware Cloud Foundation
- VMware Telco Cloud
Mitigation and Patching
No reliable workarounds
VMware has confirmed that there is no configuration-based mitigation—the only way to fully address the issue is to apply official patches and reboot the host.
Temporary Workarounds
-
Secure network access:
- Restrict external access to ESXi management interfaces via firewall, VPN, or cloud security groups.
-
Harden guest VMs:
- Ensure OS and app patches are current to reduce attack surface from within compromised guests.
-
Enable monitoring and auditing:
- Use behavior-based intrusion detection to flag signs of exploitation across ESXi environments.
Permanent Fix
-
Patch immediately using official builds:
-
ESXi 8.0 → Update to
8.0 Update 3d (build 24585383)or8.0 Update 2d (build 24585300) -
ESXi 7.0 → Update to
7.0 Update 3s (build 24585291) - ESXi 6.7 → Patch via VMware support portal
- ESXi 6.5 → Patch available through extended support channels
-
ESXi 8.0 → Update to
-
Update desktop virtualization products:
- VMware Workstation Pro →
v17.6.3 - VMware Fusion →
v13.6.3
- VMware Workstation Pro →
Timeline
- March 4, 2025 — Vulnerability publicly disclosed
- March 5, 2025 — Emergency advisory issued by Chaitin Security Lab
References
Final Thoughts
VM escape vulnerabilities are rare—and dangerous. This exploit chain bypasses isolation at the hypervisor level, putting your entire virtual infrastructure at risk. Patch now, monitor actively, and review guest OS security posture. Don’t wait for a public PoC to appear.
Top comments (0)