
Cloud Vulnerability DB
A community-led vulnerabilities database
VMware ESXi, Workstation, and Fusion contain an integer-underflow vulnerability in VMCI (Virtual Machine Communication Interface) that leads to an out-of-bounds write. The vulnerability, tracked as CVE-2025-41237, was discovered during the Pwn2Own Berlin 2025 hacking contest in May 2025 and was publicly disclosed on July 15, 2025. The flaw affects VMware ESXi versions 7.0 and 8.0, Workstation Pro 17.x, and Fusion 13.x (Bleeping Computer, VMware Advisory).
The vulnerability stems from an integer-underflow condition in the VMCI component that leads to out-of-bounds write operations. It received a Critical CVSS v3.1 base score of 9.3 for Workstation/Fusion and 8.4 for ESXi. The vulnerability was discovered by Corentin BAYET of REverse Tactics during the Pwn2Own competition (Cyber Security News, VMware Advisory).
When exploited, this vulnerability allows a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host. On ESXi systems, the exploitation is contained within the VMX sandbox, while on Workstation and Fusion, it can lead to code execution on the host machine where the virtualization software is installed (VMware Advisory).
Broadcom has released patches to address this vulnerability. Users should upgrade to ESXi80U3f-24784735 for ESXi 8.0, ESXi70U3w-24784741 for ESXi 7.0, Workstation Pro 17.6.4, and Fusion 13.6.4. No workarounds are available, making patching the only solution (VMware Advisory).
Source: This report was generated using AI
Free Vulnerability Assessment
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
"We know that if Wiz identifies something as critical, it actually is."