U.S. Technology Giant Broadcom Warns of VMware Vulnerabilities

Broadcom, a leading U.S. technology company, has issued a warning regarding the active exploitation of three vulnerabilities in VMware products by malicious hackers, targeting the networks of its corporate customers.

The vulnerabilities, collectively referred to as “ESXicape” by a security researcher, affect VMware’s widely-used software hypervisor products, including ESXi, Workstation, and Fusion. These products enable the management of multiple virtual machines on a single server, reducing the need for physical server space.

Broadcom, which acquired VMware in 2023, has identified the vulnerabilities as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. According to the company, these vulnerabilities could allow an attacker with administrator or root privileges on a virtual machine to escape the protected sandbox and gain unauthorized access to the underlying hypervisor product.

With access to the hypervisor, an attacker can potentially gain access to any other virtual machine, including those owned by other companies within the same physical data center.

Broadcom has confirmed that it has evidence suggesting the vulnerabilities have been exploited in the wild. Stephen Fewer, a principal security researcher at Rapid7, emphasized the significant impact of these vulnerabilities, stating that “an attacker who has compromised a hypervisor can go on to compromise any of the other virtual machines that share the same hypervisor.”

Although Broadcom did not provide details about the nature of the attacks or the threat actors involved, security researcher Kevin Beaumont reported on Mastodon that the vulnerabilities are being actively exploited by a ransomware group.

VMware vulnerabilities are frequently targeted by ransomware groups due to their potential for compromising multiple servers in a single attack. This is particularly concerning given that sensitive corporate data is often stored in virtualized environments.

In 2024, Microsoft discovered that multiple ransomware groups were exploiting a VMware hypervisor flaw to deploy Black Basta and LockBit ransomware in data-stealing campaigns targeting corporate data. The previous year, a large-scale hacking campaign dubbed “ESXIArgs” saw ransomware groups exploit a two-year-old VMware vulnerability to target thousands of organizations worldwide.

Broadcom has released patches for the three vulnerabilities, classified as “zero-day” bugs due to their exploitation before a fix was available. The company has described its security advisory as an “emergency” change and is urging customers to apply the patches as soon as possible.

The U.S. government’s cybersecurity agency, CISA, is also warning federal agencies to patch against the bugs, adding them to its catalog of vulnerabilities known to be under attack.