Initiatives pour
En tant qu'autorité nationale en matière de cybersécurité, le CCB a développé plusieurs initiatives destinées à des publics spécifiques, qui sont présentées ici.
Warning: Critical vulnerabilities in VMWare could be exploited to execute code on the host machine, Patch Immediately!
Image
Publié : 16/07/2025
- Last update: 16-07-2025
- Affected software:
→ VMware Cloud Foundation
→ VMware vSphere Foundation
→ VMware ESXi
→ VMware Workstation
→ VMware Fusion
→ VMware Cloud Foundation
→ VMware Telco Cloud Platform
→ VMware Telco Cloud Infrastructure
→ VMware Tools- Type: Out-of-bound write, use of initiatlized resource
- CVE/CVSS
→ CVE-2025-41236: CVSS 9.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2025-41237: CVSS 9.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2025-41238: CVSS 9.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2025-41239: CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
Sources
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877
https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0013
Risks
On 15 July 2025, Broadcom published an advisory for 4 critical vulnerabilities affecting various VMWare products, including VMWare ESXi, Workstation, Fusion and Tools. Three of four vulnerabilities can be exploited by a threat actor with local administrative privileges on a virtual machine to execute code on the host.
These vulnerabilities were initially found at the Pwn2Own 2025 event.
Virtualization tools from VMWare are commonly used technologies in medium to large organisations. VMWare ESXi has been the target of threat actors in the past, especially ransomware actors. VMWare is not aware of active exploitation of these vulnerabilities (cut-off date: 16 July 2025).
Description
There are four vulnerabilities in this advisory:
CVE-2025-41236, affecting VMware ESXi, Workstation, and Fusion.
CVE-2025-41236 is an integer-overflow vulnerability in the VMXNET3 virtual network adapter. A malicious actor with local administrative privileges on a virtual machine with VMXNET3 virtual network adapter may exploit this issue to execute code on the host.
Note that non VMXNET3 virtual adapters are not affected by this issue.
CVE-2025-41237 affecting VMware ESXi, Workstation, and Fusion.
CVE-2025-41237 is an integer-underflow in VMCI (Virtual Machine Communication Interface) that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual could successfully exploit this vulnerability to execute code as the virtual machine's VMX process running on the host.
Please note that on ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
CVE-2025-41238 affecting VMware ESXi, Workstation, and Fusion.
This flaw is a heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller that leads to an out of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.
Please note that on ESXi, the exploitation is contained within the VMX sandbox and exploitable only with configurations that are unsupported. On Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
CVE-2025-41239 affecting VMware ESXi, Workstation, Fusion, and VMware Tools.
This vulnerability is an information disclosure vulnerability due to the usage of an uninitialised memory in vSockets. A malicious actor with local administrative privileges on a virtual machine could exploit this issue to leak memory from processes communicating with vSockets.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
The Centre for Cybersecurity Belgium encourages reading the supplemental FAQ: https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0013
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.