VMware fixed four weaknesses in VMWARE ESXI, Workstation, Fusion and equipment in May 2025 in May 2025 during the PWN2OWN Berlin 2025 hacking competition.
The severity of three of the packed flaws is rating 9.3, as they allow a guest virtual machine programs to execute the command on the host. These flaws are tracked as CVE-2025-41236, CVE-2025-41237, and CVE-2025-41238.
These defects are described Security advisor As:
- Cve-2025-41236: VMWARE ESXI, Workstation, and VMXNET3 virtual network adapters in fusion include an integer-overflow vulnerability. Starlabes SG’s Guyen Hoang Tachch used this defect in PWN2OWN.
- Cve-2025-41237: VMware ESXI, Workstation, and Fusion have an integer-underflow in VMCI (virtual machine communication interface) that leads to an out-of-bound right. This defect was used by Corentine Beet of reverse strategy in PWN2OWN.
- Cve-2025-41238: VMware ESXI, Workstation, and Fusion PVSCSI (Paravirtuulized Scsi) Controller has a heap-overplane vulnerability, which leads to writing one-bound. A malicious actor with local administrative privileges on a virtual machine can exploit the issue to perform the VMX process of the virtual machine to execute the code. Thomas Bouzerrar and Etienne Helluy-Lafont of Synacktiv in PWN2OWN used this defect.
The fourth defect tracked as CVE-2025–41239 received a 7.1 rating as it is an information disclosure. It was also discovered by Corentin Bayet of reverse strategy, who chained with CVE-2025–41237 during the hacking competition.
VMWARE has not provided any work -round, and the only way to fix these weaknesses is to install new versions of software.
It should be noted that CVE-2025-41239 affects the VMware tool for Windows, which requires a one. Separate upgrading process,
These weaknesses were displayed as zero-days during the PWN2OWN Berlin 2025 hacking competition, where security researchers collected $ 1,078,750 after exploiting 29 zero-day weaknesses.
CISOS knows how to purchase a board begins with a clear, strategic approach how the cloud safety runs the business price.
This helps to introduce the risk, impact and priorities to the free, editable board report deck deck security leaders in clear business terms. Convert security updates into meaningful conversations and take fast decision in boardroom.
