SOC Advisory – Critical Vulnerabilities in VMware Products (CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, CVE-2025-41239) – 17 July 2025

Overview

CVE: CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, CVE-2025-41239
Severity: CRITICAL
Score: CVSS 9.3 (41236, 41237, 41238), CVSS 7.1 (41239)
Date: 17 July 2025

Broadcom (VMware) has disclosed four critical vulnerabilities affecting VMware ESXi, Workstation, Fusion, Tools, and Cloud Foundation. These vulnerabilities were discovered through offensive research at Pwn2Own 2025 and can enable virtual machine (VM) escape, host-level code execution, or memory leakage. Exploitation requires administrative access within a guest VM, and is particularly concerning in multi-tenant or service provider environments.

Affected Versions

• VMware ESXi (multiple versions)
• VMware Workstation 17.x
• VMware Fusion 13.x
• VMware Tools (11.x.x to 13.x.x)
• VMware Cloud Foundation

Vulnerability Breakdown

CVE-2025-41236

• Description: Integer overflow in the VMXNET3 virtual network adapter.
• Score: CVSS 9.3
• Impact: Guest VM admin may execute arbitrary code on the host.
• Risk: Critical in cloud, VDI, and MSP environments.

CVE-2025-41237

• Description: Integer underflow in the VMCI device.
• Score: CVSS 9.3
• Impact: Enables guest VM admin to run code as VMX host process.
• Risk: High risk of VM escape.

CVE-2025-41238

• Description: Heap overflow in the PVSCSI controller.
• Score: CVSS 9.3
• Impact: Local VM admin may execute code on the host in certain setups.
• Risk: Major risk for misconfigured or legacy VMs.

CVE-2025-41239

• Description: Use of uninitialised memory in vSockets.
• Score: CVSS 7.1
• Impact: Information disclosure via memory leakage from host to guest.
• Risk: Medium but notable in sensitive environments.

Mitigation

• Apply patches or upgrade to the latest supported versions of affected products as outlined in VMware advisory VMSA-2025-0013.
• Environments with active VMXNET3, VMCI or PVSCSI usage should prioritise immediate action.
• Limit admin access on guest VMs and audit virtual hardware configurations.

Summary for IT Teams

• Products: VMware ESXi, Workstation, Fusion, Tools, Cloud Foundation
• Threat Level: Critical
• Action:
  • Apply patches for all affected platforms immediately
  • Review virtual hardware use (VMXNET3, VMCI, PVSCSI)
  • Minimise guest VM admin rights and harden access controls

References

• Broadcom Advisory
• CVE-2025-41236
• CVE-2025-41237
• CVE-2025-41238
• CVE-2025-41239

Need Help?

If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.