VMware ESXi, Fusion, Workstation: Admins fail to patch critical vulnerability

About four weeks ago, Broadcom released an update to close a vulnerability in VMware ESXi, Fusion, and Workstation that is considered critical. It allows the virtual machine to be broken out of and malicious code to be executed on the host system. However, IT managers are apparently very hesitant to distribute the update.

Specifically, the error description reads: In VMware ESXi, Workstation, and Fusion, attackers with admin rights can provoke an integer overflow in a VM with a virtual VMXNET3 network adapter. This allows them to execute code in the host system (CVE-2025-41236 / EUVD-2025-21544, CVSS 9.3, risk “critical”). The vulnerability was demonstrated at Trend Micro's Zero Day Initiative (ZDI) Pwn2Own competition by IT security researcher Nguyen Hoang Thach.

Admins are indifferent

Despite this level of severity, many admins remain inactive. The Shadowserver Foundation monitors vulnerable systems over time and comes to an alarming conclusion: While 17,238 systems accessible on the Internet were still affected by the CVE-2025-41236 vulnerability on 19/07/2025, there were still 16,439 – on 11/08/2025, 6301 of which are servers in Europe. On 31/07/2025 there was a drop to 12,544 systems, but then rose again to the high level. The cause of the brief “dip” is currently unknown.

Broadcom provides links to the updated software in the July security advisory. VMware ESXi 8.0 and 7.0, VMware Workstation 17.x and 13.x, VMware Cloud Foundation 5.x and 4.x, and VMware Telco Cloud Platform 5.x, 4.x, 3.x, and 2.x are impacted.

Administrators should apply the updates as soon as possible. Vulnerabilities in VMware hypervisors often serve as a gateway for criminals. This was also the case in March of this year. IT managers there were also slow to patch, allowing attackers to exploit the CVE-2025-22224 vulnerability.

(dmk)