⚠ Actively exploited

Added to CISA KEV on 2025-03-04. Federal agencies required to patch by 2025-03-25. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-22226

CWE-125 — Out-of-bounds Read9 documents7 sources

Severity

6.0MEDIUM

EPSS

4.3%

top 11.09%

CISA KEV

KEV

Added 2025-03-04

Due 2025-03-25

Exploit

No known exploits

Affected products

Vmware Fusion Vmware Workstation Vmware Esxi +2 more

Timeline

PublishedMar 4

KEV addedMar 4

KEV dueMar 25

Latest updateFeb 4

CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:NExploitability: 2.5 | Impact: 4.0

Affected Packages11 packages

▶CVEListV5vmware_fusion13.x — 13.6.3

▶NVDvmware/fusion13.0.0 — 13.6.3

▶CVEListV5vmware_workstation17.x — 17.6.3

▶NVDvmware/workstation17.0 — 17.6.3

▶NVDvmware/esxi7.0, 8.0+1

🔴Vulnerability Details

GHSA

GHSA-37f6-vjg7-8c6c: VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS↗2025-03-04

▶

CVEList

CVE-2025-22226: VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS↗2025-03-04

▶

VulnCheck

VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability↗2025

▶

📋Vendor Advisories

CISA

VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability↗2025-03-04

▶

🕵️Threat Intelligence

Bleepingcomputer

CISA: VMware ESXi flaw now exploited in ransomware attacks↗2026-02-04

▶