VMware Bugs Expose Hosts to Critical Code Execution

VMware has released patches addressing multiple critical vulnerabilities that allow attackers to execute code on host systems through its ESXi, Workstation, Fusion, and Tools platforms. The VMware bugs expose hosts to significant risk, particularly for organizations running virtualized infrastructure in enterprise or cloud environments. The flaws, discovered during the Pwn2Own competition, affect VMXNET3, VMCI, PVSCSI, and vSockets components.

Three of the four vulnerabilities—CVE-2025-41236, CVE-2025-41237, and CVE-2025-41238—carry a CVSS score of 9.3 and enable malicious code execution from inside a virtual machine. The VMware bugs expose hosts more severely on Workstation and Fusion, where the flaws allow full VM escape. On ESXi, the impact is limited by sandboxing, though patching remains urgent.

Broadcom urges customers to update ESXi to versions ESXi80U3f-24784735 or ESXi70U3w-24784741, and to install Workstation Pro 17.6.4, Fusion 13.6.4, and VMware Tools 13.0.1.0.

Read the full article at: https://cybersecuritynews.com/vmware-esxi-and-workstation-vulnerabilities/