VMware addressed four critical vulnerabilities in its ESXi, Workstation, Fusion, and Tools products that were exploited during the Pwn2Own Berlin 2025 hacking contest. These flaws, some rated as high as 9.3 severity, could allow guest programs to execute commands on the host system. #VMware #Pwn2OwnBerlin2025
Keypoints
- Four vulnerabilities were patched in VMware ESXi, Workstation, Fusion, and Tools after being exploited as zero-days.
- Three of the flaws, CVE-2025-41236, CVE-2025-41237, and CVE-2025-41238, have a severity rating of 9.3.
- The flaws include an integer-overflow, an integer-underflow, and a heap-overflow, which enable remote code execution and privilege escalation.
- VMware recommends updating to the latest versions of their software, as no workarounds are provided.
- The vulnerabilities were demonstrated during the Pwn2Own Berlin hacking contest, where researchers earned over $1 million in prizes.