On March 4, 2024, Broadcom publicly disclosed three vulnerabilities affecting VMware ESXi, Workstation, Fusion, Cloud Foundation, Telco Cloud Platform, and Telco Cloud infrastructure products.

Microsoft identified instances of these vulnerabilities being exploited in the wild and subsequently reported them to Broadcom.

CVE-2025-22224 – CVSSv3: 9.3

A Heap-overflow vulnerability in the Virtual Machine Communication Interface (VMCI) may allow an attacker in a privileged context within a virtual machine to execute arbitrary code within the virtual machine VMX process on the host device.

CVE-2025-22225 – CVSSv3: 8.2

This vulnerability may allow an attacker with arbitrary code execution within the context of the virtual machine VMX process to trigger an arbitrary kernel write, leading to code execution outside the virtual machine sandbox.

CVE-2025-22226 – CVSSv3: 7.1

This vulnerability in the Host Guest File System (HGFS) may allow an attacker in a privileged context within a virtual machine to leak memory from the virtual machine VMX process, resulting in information disclosure.

What can ThreatLocker^® customers do?

ThreatLocker^® customers can use Community policies to identify and block instances of the vulnerable VMware Workstation versions from being executed across their organization environment.

Applications team

The following new built-in application definitions for unaffected versions of VMware Workstation are available:

• BUILT-IN\VMware Workstation Player 17.6.3+ (Built-In)
• BUILT-IN\VMware Workstation Pro 17 17.6.3+ (Built-In)

Vulnerable versions of VMWare Workstation are in the following applications:

• BUILT-IN\VMware WS Pro 17 17.6.2 and Below (Built-In)
• BUILT-IN\VMware Workstation Pro 17 All Versions (Built-In)
• BUILT-IN\VMware WS Player 17.6.2 and Below (Built-In)
• BUILT-IN\VMware Workstation Player All Versions (Built-In)  

Threat Intelligence team

The ThreatLocker® Threat Intelligence team recommends customers update any instances of VMware products to their latest patched versions. If immediate patching is not feasible, customers can download Detect and Application Control community policies to identify, contain, and block vulnerable instances of VMware Workstation.

Overall  

• Update VMware Workstation to version 17.6.3.

Application Control

Organizations that use ThreatLocker® Protect should enact the following recommendations to mitigate potential risk.

• Update the Application Control allow policy to use the following updated application definitions:  
  • “BUILT-IN\VMware Workstation Pro 17 17.6.3+ (Built-In)”  
  • “BUILT-IN\VMware Workstation Player 17.6.3+ (Built-In)”
• Download the following community policy to block vulnerable versions of VMware Workstation from executing:
  • “Block VMware Workstation 17.6.2 and below”  
• Download the following community policy to ringfence vulnerable versions of VMware Workstation if updating to a patched version is not possible. This policy may cause unintended behavior. Reach out to a ThreatLocker Cyber Hero if you have any questions.  
  • “Vulnerable VMware Workstation (Ringfenced)”  

ThreatLocker^® Detect  (EDR)

Organizations that use ThreatLocker^® Detect can download the following policies from community:

• “TL.AAL.776 - Vulnerable VMware Workstation Execution Detected”
  • Detect the execution of vulnerable versions of VMware Workstation.
• “TL.AAL.778 - VMware-VMX.exe Spawning Suspicious Processes”
  • Detect instances of “vmware-vmx.exe” spawning a suspicious child process. ‍
• NOTE: This policy will be deployed to all ThreatLocker customers once additional testing is completed.

Not a ThreatLocker customer? If you would like to learn more about how our Zero Trust Endpoint Protection Platform can protect you from vulnerabilities, book a personalized demo today.

‍