Kevin Beaumont
3 different VMware zero days, under active exploitation by ransomware groups
CVE-2025-22224, CVE-2025-22225, CVE-2025-22226
VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion
VMware Cloud Foundation
VMware Telco Cloud Platform
(Exploitation actually ESXi)
Kevin Beaumont
Unclear if related to this post from a few weeks ago.
Kevin Beaumont
You may want to escalate patching this as it allows virtual machine to hypervisor escape - e.g. from some dumb VM to the whole VMware private cloud estate.
Kevin Beaumont
VMware have set the Attack Vector to Local, which brings down the CVSS score - but you don't need to be locally at a VM to do the attack, you can do it over the internet if you have access to any VM.
If you change it to Network, you get 10
Klaus Frank
@GossiTheDog What exactly do you mean with "you can do it over the internet if you have access to any VM".
Do you mean there needs to be an attacker service running on the VM or that just having a service like a webserver running inside such a VM is enough? (As long as said webserver is accessible from external).
Also to what extend would such a service have to be compromised first?
Kevin Beaumont
VMware ESXi vulns added to CISA KEV.
Kevin Beaumont
Good catch by @TomSellers - although VMware doesn't list ESXi 6.7 as vulnerable, it is - they've published a patch for it: https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/6-7/release-notes/esxi-update-and-patch-release-notes/vmware-esxi-67-patch-release-esxi670202503001.html
I think what's happening here is 6.7 is under premium (paid) extended support where they publish patches for high severity vulns.
This also tends to indicate it applies to other unsupported versions. The forum post suggested that vuln worked on ESXi 5.x - no patch is available that far back.
I think this may be a big problem for many orgs.
Tom Sellers
In the Github version of the advisory and FAQ they actually state that ALL unpatched versions are vulnerable though they indicate that they haven't tested most unsupported versions. Here are few snippets from the link below:
You are affected if you are running any version of VMware ESX, VMware vSphere, VMware Cloud Foundation, or VMware Telco Cloud Platform prior to the versions listed as “fixed” in the VMSA.
For a definitive list of affected versions, please refer to the VMSA directly. If there is any uncertainty about whether a system is affected, it should be presumed vulnerable, and immediate action should be taken.
Does this impact VMware vSphere 6.5 or 6.7?
Yes. A patch has been released for ESX 6.7 and is available via the Support Portal to all customers. ESX 6.5 customers should use the extended support process for access to ESX 6.5 patches.
Products that are past their End of General Support dates are not evaluated as part of security advisories, and are not listed in the official VMSA. Broadcom strongly encourages all customers using vSphere 6.5 and 6.7 to update to vSphere 8.
Kevin Beaumont
Another good catch by @TomSellers - VMware's website advisory has less detail than their github for some reason.
Their github: https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004
According to their Github, additional VMware ESXi versions are impacted (e.g. 6.5, 6.7) and older versions are likely impacted but no patches available.
An in the wild exploit for RCE hypervisor escape across every supported (and unsupported) product like this is unprecedent.
Kevin Beaumont
Quick mspaint.exe diagram on this, calling it ESXicape
- Have access to something like a Windows 11 Virtual Desktop system in VMware, or a Linux box or some such?
- Use ESXicape, a chain of three zero days, to gain access to the ESXi Hypervisor.
- Use that to access every other VM, and be on the management network of VMware cluster
One you have this level of access, traditionally you'll see groups like ransomware actors steal files and wipe things. #ESXicape
Dan Goodin
I just came here to ask you why these vulnerabilities are rated so critical if they can't be remotely exploited. Looks like you partially answered my question, but can you say more, please? Isn't it pretty much always game over when a threat actor has unauthorized access to a VM connected to your network? What's the scenario you're envisioning that makes these CVEs such a threat?
Dan Goodin
OK, thanks, Kevin. Is it fair to compare accessing the hypervisor to gaining control over an Active Directory?
Dan Goodin
So, an attacker who gets access to a hypervisor in, say, GM's network also gets access in Ford's network? I don't think that's what you mean, but that's how it sounds to me.
Tom Sellers
@GossiTheDog @dangoodin Compromise of the VMware ESXi host can result in compromise of the guests. Companies often run Active Directory controllers on VMware so compromise of the host can result in AD compromise as well. The VMware management infrastructure, such as vSphere, vCloud Director, etc also runs in VMware so you can compromise those as well. This applies to any sensitive workloads that you can run in a virtual machine.
Networking for the guests is handled by the ESXi host. If you have full control of the host you can sniff and inject traffic, potentially impact local routing, etc.
Christoffer S.
If you perhaps remember the attack against TietoEvry in Sweden... there has been speculation that it was executed because of exactly this.
Attacker escaped from VM into the entire VMware cluster... which led to pretty much a full compromise of the entire datacenter.
Now it's NOT KNOWN whether this was the actual flaw that led to the successful attack, but it certainly is a very plausible (and viable) vector.
Kevin Beaumont
I wrote up everything I know about #ESXicape https://doublepulsar.com/use-one-virtual-machine-to-own-them-all-active-exploitation-of-esxicape-0091ccc5bdfc
Kevin Beaumont
Does anybody know anybody at VMware Security who could have a look at the #ESXicape knowledge base article please?
It's missing 6.5 and 6.7, which are definitely vulnerable and have patches available on Broadcom's site. They're also listed in the VMware Github advisory, but have been missed off the support site. It's causing people to not patch.
waldi
@GossiTheDog This might be because 6.5 and 6.7 are not longer general supported.
Chad Brigance
@GossiTheDog they kept it off on purpose. The GitHub page even says so. It's weird though and is very confusing for those who actually might have a legit reason to run 6.5 and 6.7.
--------------
Products that are past their End of General Support dates are not evaluated as part of security advisories, and are not listed in the official VMSA. Broadcom strongly encourages all customers using vSphere 6.5 and 6.7 to update to vSphere 8.
Kevin Beaumont
Both VMware and Microsoft have declined to comment about #ESXicape, when asked about number of victims and who has the exploit.
Kevin Beaumont
Some background on Positive Technologies https://www.technologyreview.com/2021/04/15/1022895/us-sanctions-russia-positive-hacking/
Kevin Beaumont
A new twist on #ESXicape - you need local admin rights to escape the VM to the hypervisor, right?
Slight issue - VMware Tools, installed inside VMs, allows local user to local admin privilege escalation on every VM due to vuln CVE-2025-22230
“A malicious actor with non-administrative privileges on a Windows guest VM may gain ability to perform certain high-privilege operations within that VM.”
Discovered by Positive Technologies, who US claim hack for Moscow.
Kevin Beaumont
Reupping this thread - remember to patch both #ESXicape and CVE-2025-22230 in VMware Tools.
The four vulns chained together allow full hypervisor escape from a Windows VM, without needing admin rights, gaining full SAN storage access to all VMs from one host - including to backups.
I understand technical exploitation details for this will start to emerge in public late next week, which will enable more groups to jump on the bandwagon. Currently limited to a ransomware group.
David Wong
@GossiTheDog Still no news or context ?
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.