VMware patches critical ESXi zero-day bugs exploited at Pwn2Own
▼ Summary
– VMware patched four zero-day vulnerabilities in ESXi, Workstation, Fusion, and Tools exploited during Pwn2Own Berlin 2025.
– Three flaws (CVE-2025-41236, CVE-2025-41237, CVE-2025-41238) have a 9.3 severity rating, allowing guest VM programs to execute host commands.
– CVE-2025-41236 is an integer-overflow in VMXNET3, CVE-2025-41237 is an integer-underflow in VMCI, and CVE-2025-41238 is a heap-overflow in PVSCSI.
– The fourth flaw (CVE-2025-41239, rated 7.1) is an information disclosure issue in VMware Tools for Windows.
– VMware requires software updates to fix these flaws, with no available workarounds.
VMware has released critical security updates addressing four vulnerabilities in its virtualization products, including ESXi, Workstation, Fusion, and Tools. These flaws were originally exploited as zero-day vulnerabilities during the Pwn2Own Berlin 2025 hacking competition, highlighting their potential severity.
Three of the patched vulnerabilities carry a high-severity CVSS score of 9.3, allowing attackers with guest VM access to execute arbitrary code on the host system. Tracked as CVE-2025-41236, CVE-2025-41237, and CVE-2025-41238, these flaws stem from memory corruption issues in key VMware components.
The first vulnerability, CVE-2025-41236, involves an integer overflow in the VMXNET3 virtual network adapter, exploited by Nguyen Hoang Thach of STARLabs SG during the competition. The second, CVE-2025-41237, is an integer underflow in the VMCI (Virtual Machine Communication Interface), leading to an out-of-bounds write. Corentin BAYET of REverse Tactics successfully leveraged this flaw at Pwn2Own.
The third critical flaw, CVE-2025-41238, is a heap overflow in the PVSCSI (Paravirtualized SCSI) controller, enabling attackers with local admin privileges to execute code on the host. Researchers Thomas Bouzerar and Etienne Helluy-Lafont from Synacktiv demonstrated this exploit during the event.
Additionally, VMware patched CVE-2025-41239, rated 7.1 in severity, which allows information disclosure. Corentin BAYET also discovered this issue, chaining it with CVE-2025-41237 for a more effective attack.
No workarounds exist for these vulnerabilities, making immediate patching essential. Administrators must upgrade affected VMware products to the latest versions. Notably, CVE-2025-41239 impacts VMware Tools for Windows, requiring a separate update process.
These vulnerabilities were among 29 zero-day exploits successfully demonstrated at Pwn2Own Berlin 2025, where security researchers earned $1,078,750 in rewards. The swift patching underscores the importance of proactive vulnerability management in enterprise environments.
(Source: Bleeping Computer)
