VMware ESXi and Workstation Flaws Allow Host-Level Code Execution

Broadcom has issued a critical security advisory addressing four serious vulnerabilities across VMware’s virtualization platform ecosystem.

The advisory, designated VMSA-2025-0013 and published on July 15, 2025, affects multiple VMware products, including ESXi, Workstation Pro, Fusion, and VMware Tools, with CVSS scores ranging from 6.2 to 9.3.

These vulnerabilities were discovered through security research conducted at the Pwn2Own competition and could allow malicious actors with local administrative privileges to execute arbitrary code on host systems.

Vulnerabilities Spanning Multiple VMware Components

The security advisory encompasses four distinct Common Vulnerabilities and Exposures (CVEs) affecting core virtualization components.

CVE-2025-41236 represents an integer-overflow vulnerability in the VMXNET3 virtual network adapter with a maximum CVSS score of 9.3.

CVE-2025-41237 involves an integer underflow in the Virtual Machine Communication Interface (VMCI), leading to out-of-bounds write conditions, also scoring 9.3.

CVE-2025-41238 addresses a heap-overflow vulnerability in the Paravirtualized SCSI (PVSCSI) controller, while CVE-2025-41239 concerns an information disclosure issue in vSockets due to uninitialized memory usage.

The affected product matrix includes VMware ESXi versions 7.0 and 8.0, VMware Workstation Pro 17. x, VMware Fusion 13. x, and VMware Tools across multiple versions.

Additionally, VMware Cloud Foundation, vSphere Foundation, and Telco Cloud platforms are also impacted.

Notably, the vulnerabilities affect different execution contexts: on ESXi systems, exploitation is contained within the VMX sandbox, whereas on Workstation and Fusion platforms, successful exploitation could lead to code execution on the host operating system.

Attack Vectors and Technical Implementation Details

Security researchers from STARLabs SG, Reverse Tactics, Synacktiv, and THEORI, working with the Zero Day Initiative, discovered these vulnerabilities through rigorous testing methodologies.

The attack vectors require local administrative privileges on guest virtual machines, making them particularly concerning for environments with untrusted VM administrators.

The VMXNET3 vulnerability specifically targets virtual machines configured with this high-performance network adapter, while the VMCI issue affects inter-VM communication mechanisms.

The PVSCSI heap-overflow vulnerability presents varying risk levels depending on the deployment platform.

On ESXi installations, the vulnerability is exploitable only with unsupported configurations, while Workstation and Fusion deployments face direct host compromise risks.

The vSockets information disclosure vulnerability affects memory handling processes, potentially leaking sensitive data between communicating processes.

Remediation Strategy and Available Patches

Broadcom has released comprehensive patches addressing all identified vulnerabilities. ESXi 8.0 systems should apply patches ESXi80U3f-24784735 or ESXi80U2e-24789317, while ESXi 7.0 installations require ESXi70U3w-24784741.

VMware Workstation Pro users must upgrade to version 17.6.4, and Fusion users should install version 13.6.4.

VMware Tools users on Windows platforms need versions 13.0.1.0 or 12.5.3, depending on their current installation.

The advisory emphasizes that no workarounds exist for these vulnerabilities, making immediate patching essential.

Organizations using VMware Cloud Foundation can implement asynchronous patching procedures as documented in the knowledge base article KB88287.

Additional technical documentation and frequently asked questions are available at the supplemental FAQ resource located at brcm.tech/vmsa-2025-0013-qna.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates