You are currently viewing Remote Code Execution Risks Found in VMware ESXi and Workstation

Remote Code Execution Risks Found in VMware ESXi and Workstation

  • Post author:
  • Reading time:4 mins read

Broadcom has recently addressed multiple critical vulnerabilities affecting VMware ESXi, Workstation, Fusion, and Tools. These vulnerabilities could allow attackers to execute malicious code on host systems, potentially leading to complete system compromise. The vulnerabilities, CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, and CVE-2025-41239, carry CVSS scores ranging from 7.1 to 9.3, with three classified as critical severity.

Vulnerability Details

The vulnerabilities affect various components within the VMware virtualization suite:

  • CVE-2025-41236: An integer overflow flaw in the VMXNET3 virtual network adapter could be exploited by an attacker with local admin rights on a VM to run code on the host. This issue carries a CVSSv3 score of 9.3.

  • CVE-2025-41237: An integer-underflow vulnerability in the Virtual Machine Communication Interface (VMCI) could be exploited by an attacker with local admin privileges to run code as the VM’s VMX process on the host. On ESXi, the impact is limited to the VMX sandbox, but on Workstation and Fusion, it could allow code execution on the host system. This vulnerability has a CVSSv3 score of 9.3.

  • CVE-2025-41238: A heap-overflow vulnerability in the PVSCSI controller could be exploited by an attacker with local admin rights on a VM to run code as the VMX process on the host. On ESXi, exploitation stays within the VMX sandbox and is only possible with unsupported configurations, while on Workstation and Fusion, it could result in host-level code execution. This vulnerability has a CVSSv3 score of 9.3.

  • CVE-2025-41239: An information disclosure vulnerability in vSockets may enable an attacker with local admin access on a VM to leak memory from processes communicating with vSockets. It has a CVSSv3 score of 7.1.

Impact & Exploit Potential

Successful exploitation of these vulnerabilities can lead to severe consequences:

  • Host-level code execution
  • VMX process compromise
  • Information disclosure

Specifically, CVE-2025-41237 and CVE-2025-41238 pose a greater risk to VMware Workstation and Fusion users, as successful exploitation can lead to code execution on the host machine where the virtualization software is installed.

Tactics, Techniques, and Procedures (TTPs)

Attackers can exploit these vulnerabilities to escape virtual machines and execute code directly on host systems. Key tactics and techniques include:

  • TA0002 – Execution: Exploiting vulnerabilities to execute malicious code.
  • TA0004 – Privilege Escalation: Gaining higher-level permissions on the system.
  • T1203 – Exploitation for Client Execution: Leveraging vulnerabilities in client-side applications to execute code.

Affected Products

The vulnerabilities impact a wide range of VMware products:

  • VMware ESXi versions 8.0 and 7.0 
  • VMware Workstation version 17.x
  • VMware Fusion version 13.x
  • VMware Tools versions 13.x.x, 12.x.x, and 11.x.x
  • VMware Cloud Foundation version 4.5.x, 5.x and 9.0.0.0
  • VMware vSphere Foundation version 9.0.0.0
  • VMware Telco Cloud Platform versions 5.x, 4.x, 3.x, and 2.x
  • VMware Telco Cloud Infrastructure versions 3.x and 2.x 

Mitigation & Recommendations

To mitigate the risks, Broadcom recommends applying the released patches immediately. These include:

  • ESXi updates ESXi80U3f-24784735 and ESXi70U3w-24784741
  • Workstation Pro 17.6.4
  • Fusion 13.6.4
  • VMware Tools 13.0.1.0 and 12.5.3

It is essential to patch both the hypervisor and the Tools components. For the vSockets vulnerability (CVE-2025-41239), VMware Tools 12.5.3 addresses the Windows-specific issue.

Real-World Observations

Security researchers discovered these flaws during the Pwn2Own Tokyo 2025 competition, where they demonstrated successful exploitation with near-100% reliability rates. While there is no indication of active or wild exploitation, the public demonstration of proof-of-concept exploits underscores the need for immediate patching.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.