Recent security assessments have identified multiple critical vulnerabilities within VMware’s suite of virtualization products, including ESXi, Workstation, Fusion, and associated tools. These flaws could enable attackers to execute malicious code directly on host systems, posing significant risks to organizational infrastructure.
Overview of Identified Vulnerabilities
The vulnerabilities in question are cataloged as CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, and CVE-2025-41239. Each carries a Common Vulnerability Scoring System (CVSS) score ranging from 6.2 to 9.3, with three classified as critical. These issues were brought to light during the Pwn2Own competition, underscoring the persistent threats facing virtualization technologies.
Detailed Analysis of Each Vulnerability
1. VMXNET3 Integer Overflow Flaw (CVE-2025-41236):
– Severity: Critical (CVSS score: 9.3)
– Component Affected: VMXNET3 virtual network adapter
– Description: This integer overflow vulnerability allows attackers with local administrative privileges on a virtual machine to execute arbitrary code on the host system. Notably, this flaw is specific to the VMXNET3 adapter; other virtual network adapters remain unaffected.
– Discovery: Identified by security researcher Nguyen Hoang Thach of STARLabs SG during the Pwn2Own competition.
– Impacted Versions: VMware ESXi versions 7.0 and 8.0, Workstation Pro 17.x, and Fusion 13.x.
2. VMCI Integer Underflow Flaw (CVE-2025-41237):
– Severity: Critical (CVSS score: 9.3)
– Component Affected: Virtual Machine Communication Interface (VMCI)
– Description: An integer underflow condition leads to out-of-bounds write operations, enabling attackers to execute malicious code within the virtual machine’s VMX process on the host system. The impact varies by deployment: on ESXi, exploitation is contained within the VMX sandbox; on Workstation and Fusion, it can lead to complete host system compromise.
3. PVSCSI Heap Overflow Flaw (CVE-2025-41238):
– Severity: Critical (CVSS score: 9.3)
– Component Affected: Paravirtualized SCSI (PVSCSI) controller
– Description: This heap overflow vulnerability results in out-of-bounds write conditions, allowing code execution within the VMX process context. Exploitability depends on deployment configuration: on ESXi, it’s exploitable only with unsupported configurations; on Workstation and Fusion, it poses a greater risk, potentially leading to host machine compromise.
4. vSockets Information Disclosure Flaw (CVE-2025-41239):
– Severity: Important (CVSS score: 7.1 for ESXi, Workstation, and Fusion; 6.2 for VMware Tools)
– Component Affected: vSockets
– Description: This vulnerability allows attackers to access sensitive information from the host system, potentially leading to further exploitation.
Impacted Products and Versions
The vulnerabilities affect a range of VMware products, including:
– VMware ESXi versions 7.0 and 8.0
– VMware Workstation Pro 17.x
– VMware Fusion 13.x
– VMware Tools
– VMware Cloud Foundation
– VMware Telco Cloud platforms
Recommended Actions
To mitigate these vulnerabilities, VMware has released patches and updates. Administrators are strongly advised to:
– Apply the latest patches for ESXi, Workstation Pro, Fusion, and VMware Tools.
– Review and update configurations to ensure they align with VMware’s security best practices.
– Monitor systems for unusual activity that may indicate exploitation attempts.
Conclusion
The discovery of these critical vulnerabilities highlights the importance of maintaining up-to-date systems and adhering to security best practices. Organizations utilizing VMware’s virtualization products should prioritize the application of these patches to safeguard their infrastructure against potential attacks.
