Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
social.linux.pizza is one of the many independent Mastodon servers you can use to participate in the fediverse.
A instance dedicated - but not limited - to people with an interest in the GNU+Linux ecosystem and/or general tech. Sysadmins to enthusiasts, creators to movielovers - Welcome!

Administered by:

Server stats:

1.3K
active users

social.linux.pizza: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Public *
Kevin Beaumont

3 different VMware zero days, under active exploitation by ransomware group

CVE-2025-22224, CVE-2025-22225, CVE-2025-22226

VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion
VMware Cloud Foundation
VMware Telco Cloud Platform

(Exploitation actually ESXi)

support.broadcom.com/web/ecx/s

Support PortalSupport Content Notification - Support Portal - Broadcom support portal
#threatintel
Public *
Kevin Beaumont

Unclear if related to this post from a few weeks ago.

Public
Kevin Beaumont

You may want to escalate patching this as it allows virtual machine to hypervisor escape - e.g. from some dumb VM to the whole VMware private cloud estate.

Public
Kevin Beaumont

VMware have set the Attack Vector to Local, which brings down the CVSS score - but you don't need to be locally at a VM to do the attack, you can do it over the internet if you have access to any VM.

If you change it to Network, you get 10

Public *
Kevin Beaumont

Good catch by @TomSellers - although VMware doesn't list ESXi 6.7 as vulnerable, it is - they've published a patch for it: techdocs.broadcom.com/us/en/vm

I think what's happening here is 6.7 is under premium (paid) extended support where they publish patches for high severity vulns for $$

This also tends to indicate it applies to other unsupported versions. The forum post suggested that vuln worked on ESXi 5.x - no patch is available that far back.

I think this may be a big problem for many orgs.

Public
Kevin Beaumont

Another good catch by @TomSellers - VMware's website advisory has less detail than their github for some reason.

Their github: github.com/vmware/vcf-security

According to their Github, additional VMware ESXi versions are impacted (e.g. 6.5, 6.7) and older versions are likely impacted but no patches available.

An in the wild exploit for RCE hypervisor escape across every supported (and unsupported) product like this is unprecedent.

GitHubvcf-security-and-compliance-guidelines/security-advisories/vmsa-2025-0004 at main · vmware/vcf-security-and-compliance-guidelinesSecurity, compliance, and operational resilience resources applicable to VMware Cloud Foundation and VMware vSphere. This repository is an official VMware repository managed by Broadcom staff. - vm...
Public
Kevin Beaumont

Quick mspaint.exe diagram on this, calling it ESXicape

- Have access to something like a Windows 11 Virtual Desktop system in VMware, or a Linux box or some such?

- Use ESXicape, a chain of three zero days, to gain access to the ESXi Hypervisor.

- Use that to access every other VM, and be on the management network of VMware cluster

One you have this level of access, traditionally you'll see groups like ransomware actors steal files and wipe things. #ESXicape

#/usr/sbin/rtheren

@GossiTheDog Thanks Kevin. Gonna forward this to some people that I know use VMware.

Mar 05, 2025, 11:12 AM·Public·Web
0boosts·1favorite
Explore
About