Summary
CVE-2025-22226 is a high-severity information leak in VMware ESXi, Workstation, and Fusion’s HGFS (Host-Guest File System). Attackers with admin access inside a guest VM can exploit an out-of-bounds read to leak sensitive VMX process memory, exposing data like passwords and keys. This risks operational security and tenant isolation, with major financial and reputational impact. VMware has released patches—immediate updates, limiting HGFS, and restricting admin access are essential to mitigate the risk.
Urgent Actions Required
- Update VMware ESXi, Workstation, and Fusion to the latest versions.
- Turn off or limit HGFS if it’s not needed.
- Allow admin access in guest VMs only for trusted users.
- Watch for suspicious activity involving HGFS or VMX memory access.
Which Systems Are Vulnerable to CVE-2025-22226?
Technical Overview
- Vulnerability Type: Information Disclosure via Out-of-Bounds Read in HGFS
- Affected Software/Versions:
- VMware ESXi: 6.7, 7.0, 8.0
Fixed in: ESXi670-202503001, ESXi70U3s-24585291, ESXi80U3d-24585383, ESXi80U2d-24585300 - VMware Workstation: 17.x
Fixed in: 17.6.3 - VMware Fusion: 13.x
Fixed in: 13.6.3 - VMware Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure
Fixes available via asynchronous or related ESXi patch channels
- VMware ESXi: 6.7, 7.0, 8.0
- Attack Vector: Local (attacker must have admin/root privileges inside a guest VM)
- CVSS Score: 7.1
- Exploitability Score: 2.5
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High (admin inside guest VM)
- User Interaction: None
- Patch Availability: Yes, available3
How Does the CVE-2025-22226 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2025-22226?
Vulnerability Root Cause:
This vulnerability is caused by a memory bug in VMware’s HGFS part of the VMX process. When an attacker with admin rights inside a guest VM sends special HGFS requests, the VMX process reads memory it shouldn’t. This mistake leaks sensitive information from the host’s memory, exposing confidential data.
How Can You Mitigate CVE-2025-22226?
If immediate patching is delayed or not possible:
- Limit administrative access inside guest virtual machines to trusted users only.
- Disable or restrict the use of the HGFS component if feasible.
- Monitor VMX process behavior and guest-to-host communication for unusual or malformed HGFS requests.
- Apply network segmentation and access controls to minimize attack surface between guests and hosts.
- Implement host-based intrusion detection systems (HIDS) to detect suspicious memory leakage activity.
Which Assets and Systems Are at Risk?
- Asset Types Affected:
- VMware ESXi hosts running versions 6.7, 7.0, or 8.0
- VMware Workstation 17.x installations
- VMware Fusion 13.x installations
- VMware Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure environments using affected ESXi versions
- Business-Critical Systems at Risk:
- Virtualized environments hosting sensitive workloads or confidential data
- Multi-tenant cloud infrastructures relying on strong VM isolation
- Development and testing environments using VMware Workstation or Fusion with admin access in guest VMs
- Exposure Level:
- Hosts and systems where attackers have administrative privileges inside guest VMs
- Systems that use HGFS and allow guest-to-host communication, increasing risk of sensitive host memory leakage
- Environments that lack proper access controls on guest VM users or don’t separate guests and hosts well
Will Patching CVE-2025-22226 Cause Downtime?
Patch application impact: Moderate. Applying VMware patches may need system restarts, causing short downtime. To avoid issues, update during maintenance times and test patches in staging first.
Mitigation (if immediate patching is not possible): You can reduce some risk by limiting admin access inside guest VMs and disabling or restricting HGFS if possible. However, these steps are not enough—full patching is required to fully fix the issue and stop host memory leaks.
How Can You Detect CVE-2025-22226 Exploitation?
- Exploitation Signatures:
- No detailed exploitation signatures available as of now.
- Exploitation involves leaking sensitive host memory via the VMX process from within guest VMs.
- Indicators of Compromise (IOCs/IOAs):
- Unusual or unexpected memory leaks from the VMX process.
- Signs of compromised tenant isolation or exposure of confidential host data.
- Behavioral Indicators:
- Anomalous activity by administrative users inside guest VMs.
- Unexpected access or manipulation of the VMX process memory.
- Alerting Strategy:
- Priority: High due to sensitive data exposure risks.
- Monitor for abnormal VMX process behavior or memory leaks.
- Audit and restrict administrative access inside guest VMs.
Remediation & Response
Patch/Upgrade Instructions:
Apply VMware patches for affected products:
- VMware ESXi 6.7, 7.0, 8.0 (fixed in ESXi670-202503001, ESXi70U3s-24585291, ESXi80U3d-24585383, ESXi80U2d-24585300)
- VMware Workstation 17.x (fixed in 17.6.3)
- VMware Fusion 13.x (fixed in 13.6.3)
For VMware Cloud Foundation and Telco Cloud Platform customers, apply asynchronous or related ESXi patches as advised by VMware.
Official VMware Advisory:
Support Content Notification – Support Portal – Broadcom support portal
Mitigation Steps if No Patch:
- Limit administrative access inside guest VMs to trusted personnel only.
- Restrict or disable HGFS (Host-Guest File System) usage if feasible, to reduce attack surface.
Incident Response Considerations:
- Monitor for suspicious administrative activity within guest VMs.
- Review VMware logs for unusual memory access or VMX process anomalies.
- Investigate any signs of sensitive memory leakage or data exposure.
- After patching, continue auditing administrative access and memory handling processes
Compliance & Governance Notes
Standards Impacted:
- NIST 800-53: SI-2 – Flaw Remediation
Organizations are expected to remediate known software flaws in a timely manner. VMware has provided patches for CVE-2025-22226 to comply with this requirement.
Where Can I Find More Information on CVE-2025-22226?
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 7.1 | High |
| Attack Vector | Local | Exploitation requires admin access inside the guest VM |
| Attack Complexity | Low | No special conditions required for exploitation |
| Privileges Required | High | Attacker must have administrative/root access inside the VM |
| User Interaction | None | Exploit does not require user interaction once access is obtained |
| Scope | Unchanged | Impact is confined to the same security scope (i.e., guest VM → host memory) |
| Confidentiality Impact | High | Sensitive host memory (e.g., passwords, keys) may be exposed |
