Date: 15 July 2025
Advisory: VMSA-2025-0013
Severity: Critical (CVSS 6.2–9.3)
Affected Products: ESXi, Workstation, Fusion, VMware Tools, Cloud Foundation, Telco Cloud
Workaround: None
Fix Available: Yes
Broadcom has published VMSA-2025-0013, addressing 4 critical vulnerabilities affecting VMware virtualization products:
- CVE-2025-41236 (VMXNET3 Integer Overflow)
→ Affects: ESXi, Workstation, Fusion
→ RCE on host from guest via VMXNET3 adapter
→ CVSS: 9.3 - CVE-2025-41237 (VMCI Integer Underflow)
→ Affects: ESXi, Workstation, Fusion
→ OOB write, potential code execution via VMX process
→ CVSS: 9.3 - CVE-2025-41238 (PVSCSI Heap Overflow)
→ Affects: ESXi, Workstation, Fusion
→ Exploitable OOB write in paravirtual SCSI controller
→ CVSS: 9.3 - CVE-2025-41239 (vSockets Info Leak)
→ Affects: VMware Tools (Windows)
→ Uninitialized memory leak to guest
→ CVSS: 7.1
Key Insights
- Attack Vector: All require local admin privileges inside the guest VM.
- Impact: Potential for code execution on the host, depending on configuration and platform.
- VMXNET3 & VMCI vulnerabilities pose the highest risk — especially in environments running Fusion or Workstation outside of ESXi’s sandboxed protections.
- No workarounds are available — patching is mandatory.
- VMware Tools on Windows is affected by CVE-2025-41239 — ensure version 13.0.1 or 12.5.3 is installed where applicable.
Recommended Action
Patch all affected systems using the fixed versions listed in the Response Matrix. Prioritize:
- ESXi 8.0: Update to
ESXi80U3f-24784735 - ESXi 7.0: Update to
ESXi70U3w-24784741 - Workstation: Upgrade to
17.6.4 - Fusion: Upgrade to
13.6.4 - VMware Tools (Windows): Use
13.0.1or12.5.3(32-bit)
Don’t forget to follow async patching guides for Cloud Foundation and Telco Cloud deployments:
KB88287 – Async Patching Guide