CVE-2025-41237

CWE-787Out-of-bounds Write4 documents4 sources
Severity
9.3CRITICAL
EPSS
0.0%
top 86.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Vmware EsxiVmware FusionVmware Workstation+4 more
Timeline
PublishedJul 15
Latest updateJul 17

Description

VMware ESXi, Workstation, and Fusion contain an integer-underflow in VMCI (Virtual Machine Communication Interface) that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 2.5 | Impact: 6.0

Affected Packages7 packages

CVEListV5vmware/fusion13.x13.6.4
CVEListV5vmware/workstation17.x17.6.4
CVEListV5vmware/esxi8.0ESXi80U3f-24784735+2
CVEListV5vmware/cloud_foundation9.0.0.0, 5.x, 4.5.x
CVEListV5vmware/vsphere_foundation9.0.0.0

🔴Vulnerability Details

2
GHSA
GHSA-6hwj-h56x-jhh3: VMware ESXi, Workstation, and Fusion contain an integer-underflow in VMCI (Virtual Machine Communication Interface) that leads to an out-of-bounds wri2025-07-15
CVEList
VMCI integer-underflow vulnerability2025-07-15

🕵️Threat Intelligence

1
Bleepingcomputer
VMware fixes four ESXi zero-day bugs exploited at Pwn2Own Berlin2025-07-17
CVE-2025-41237 (CRITICAL CVSS 9.3) | VMware ESXi | cvebase.io