U.S. know-how big Broadcom is warning {that a} trio of VMware vulnerabilities are being actively exploited by malicious hackers to compromise the networks of its company clients.
The three vulnerabilities — collectively dubbed “ESXicape” by one safety researcher — have an effect on VMware ESXi, Workstation, and Fusion, that are broadly used software program hypervisor merchandise that enable a number of digital machines to be managed on a single server. Hypervisors are generally used to cut back the necessity to take up bodily server house.
Broadcom, which acquired VMware in 2023, stated that the vulnerabilities (tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) may enable an attacker with administrator or root privileges on a digital machine to flee its protected sandbox and acquire broader unauthorized entry to the underlying hypervisor product.
With entry to the hypervisor, an attacker can acquire entry to some other digital machine, together with digital methods owned by different firms inside the identical bodily knowledge heart.
Broadcom says it has “info to counsel” that the vulnerabilities have been exploited within the wild.
“The affect right here is large, an attacker who has compromised a hypervisor can go on to compromise any of the opposite digital machines that share the identical hypervisor,” Stephen Fewer, principal safety researcher at menace intelligence firm Rapid7, advised TechCrunch.
Broadcom didn’t share any particulars concerning the nature of the assaults or the menace actors behind them and didn’t say whether or not any buyer knowledge had been accessed. A spokesperson for Broadcom didn’t reply to TechCrunch’s questions. Microsoft, which found and reported the vulnerabilities to Broadcom, additionally didn’t reply by press time.
Safety researcher Kevin Beaumont stated in a submit on Mastodon that the three vulnerabilities are actively being exploited by an as-yet-unnamed ransomware group.
VMware vulnerabilities are often focused by ransomware teams as a result of their capability to be exploited to compromise a number of servers throughout a single assault, and on condition that delicate company knowledge is usually saved in these virtualized environments.
Microsoft found in 2024 that a number of ransomware teams have been exploiting a VMware hypervisor flaw in assaults deploying Black Basta and LockBit ransomware in data-stealing campaigns focusing on company knowledge. The earlier 12 months, a large-scale hacking marketing campaign, dubbed “ESXiArgs,” noticed ransomware teams exploit a two-year-old VMware vulnerability to focus on 1000’s of organizations worldwide.
Broadcom has launched patches for the three vulnerabilities, that are classed as “zero-day” bugs as a result of reality they have been exploited earlier than a repair was made out there. Broadcom described its safety advisory as an “emergency” change and is urging clients to use the patches as quickly as doable.
U.S. authorities cybersecurity company CISA can also be warning federal businesses to patch in opposition to the bugs, which it has added to its working catalog of vulnerabilities recognized to be underneath assault.
