U.S. technology giant Broadcom is warning that a trio of VMware vulnerabilities are being actively exploited by malicious hackers to compromise the networks of its corporate customers.
The three vulnerabilities — collectively dubbed “ESXicape” by one security researcher — affect VMware ESXi, Workstation, and Fusion, which are widely used software hypervisor products that allow multiple virtual machines to be managed on a single server. Hypervisors are commonly used to reduce the need to take up physical server space.
Broadcom, which acquired VMware in 2023, said that the vulnerabilities (tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) could allow an attacker with administrator or root privileges on a virtual machine to escape its protected sandbox and gain broader unauthorized access to the underlying hypervisor product.
With access to the hypervisor, an attacker can gain access to any other virtual machine, including virtual systems owned by other companies within the same physical data center.
Broadcom says it has “information to suggest” that the vulnerabilities have been exploited in the wild.
“The impact here is huge, an attacker who has compromised a hypervisor can go on to compromise any of the other virtual machines that share the same hypervisor,” Stephen Fewer, principal security researcher at threat intelligence company Rapid7, told TechCrunch.
Broadcom did not share any details about the nature of the attacks or the threat actors behind them and did not say whether any customer data had been accessed. A spokesperson for Broadcom did not respond to TechCrunch’s questions. Microsoft, which discovered and reported the vulnerabilities to Broadcom, also didn’t respond by press time.
Security researcher Kevin Beaumont said in a post on Mastodon that the three vulnerabilities are actively being exploited by an as-yet-unnamed ransomware group.
VMware vulnerabilities are frequently targeted by ransomware groups due to their ability to be exploited to compromise multiple servers during a single attack, and given that sensitive corporate data is often stored in these virtualized environments.
Microsoft discovered in 2024 that multiple ransomware groups were exploiting a VMware hypervisor flaw in attacks deploying Black Basta and LockBit ransomware in data-stealing campaigns targeting corporate data. The previous year, a large-scale hacking campaign, dubbed “ESXiArgs,” saw ransomware groups exploit a two-year-old VMware vulnerability to target thousands of organizations worldwide.
Broadcom has released patches for the three vulnerabilities, which are classed as “zero-day” bugs due to the fact they were exploited before a fix was made available. Broadcom described its security advisory as an “emergency” change and is urging customers to apply the patches as soon as possible.
U.S. government cybersecurity agency CISA is also warning federal agencies to patch against the bugs, which it has added to its running catalog of vulnerabilities known to be under attack.
