VMware Zero-Day Vulnerabilities Are Being Exploited: Patch Now or Pay Later
Three critical zero-day vulnerabilities are actively being exploited in VMware products. Broadcom and Microsoft have sounded the alarm—patches are out, and delay is not an option.
Three newly discovered zero-day vulnerabilities are being actively exploited across multiple VMware products, including ESXi, Workstation, and Fusion. These aren’t hypothetical risks—they’re already in the wild, with the Microsoft Threat Intelligence Center (MSTIC) confirming real-world attacks. Broadcom, now the parent company of VMware, has issued a security advisory and corresponding patches. Organizations still dragging their feet are exposing themselves to serious risk.
Here’s what’s on the line.
What’s Broken — and How Bad It Is
The vulnerabilities, tracked as CVE-2024-22224, CVE-2024-22225, and CVE-2024-22226, all allow attackers with administrative access to perform high-impact exploits. These range from full code execution on the host system to sandbox escape and memory leakage. Severity scores land between 7.1 and 9.3 on the CVSSv3 scale, with CVE-2024-22224 being the worst of the bunch.
Let’s break them down:
CVE-2024-22224
Score: 9.3 (Critical)
A Time-of-Check to Time-of-Use (TOCTOU) bug in ESXi and Workstation leads to an out-of-bounds write. That gives an attacker with admin privileges the ability to run arbitrary code within the VMX process—effectively taking control of the host. No workaround exists. Patch now.
CVE-2024-22225
Score: 8.2 (Important)
Found in ESXi, this one lets attackers perform arbitrary kernel writes via the VMX process. It’s a sandbox escape route—exactly what you don’t want in a multi-tenant environment.
CVE-2024-22226
Score: 7.1 (Important)
This vulnerability affects ESXi, Workstation, and Fusion. It leaks memory via the Host Guest File System (HGFS), exposing sensitive data that could help attackers escalate privileges or move laterally.
And here's the kicker: Broadcom confirms these are being exploited right now, but no proof-of-concept has been released. That means defenders have less time and fewer details to work with—you're flying blind unless you patch.
Who’s Affected?
If you’re running any of the following products, you’re in the blast radius:
- VMware ESXi 6.7, 7.0, or 8.0
- VMware Workstation 17.x
- VMware Fusion 13.x
- VMware Cloud Foundation
- VMware Telco Cloud Platform
You’ll find patch versions listed here. Some platforms have asynchronous patches—others require updating ESXi directly. Don’t assume your managed services provider is on top of this; verify it yourself.
What to Do Now
If your environment touches VMware, this is your priority list:
- Patch now. Update all affected VMware products to the fixed versions. No exceptions. No delays.
- Lock down access. Limit admin interface exposure. If remote access isn’t essential, kill it.
- Watch the logs. Enable and monitor system-level logging to detect suspicious VMX behavior.
- Segment your network. Keep critical workloads isolated. Assume breach and plan containment.
- Audit your privileges. Only trusted admins should have VM-level access. Strip permissions where possible.
Final Take
These are high-risk, actively exploited vulnerabilities. If you’re running VMware products, you’re on the target list—and the attackers already know it.
This isn’t the time for "patching next week." The threat is real, live, and inside your infrastructure if you're not fast enough. Get the patches in, harden your environment, and stay alert.
See Broadcom’s full advisory here.
