VMware Remedies Four Zero-Day Vulnerabilities Exploited at Pwn2Own Berlin

VMware has recently fixed four zero-day vulnerabilities that were exploited during the 2025 Pwn2Own Berlin hacking contest, including three critical bugs in ESXi, Workstation, and Fusion, as well as an information disclosure bug in VMware Tools for Windows.

• Vulnerable components: VMware ESXi, Workstation, Fusion

• Exploited by researchers during Pwn2Own Berlin 2025 hacking contest

• Four zero-day vulnerabilities:

  • CVE-2025-41236: Integer-overflow bug in VMXNET3 virtual network adapter

  • CVE-2025-41237: Integer-underflow bug in VMCI (Virtual Machine Communication Interface)

  • CVE-2025-41238: Heap-overflow bug in PVSCSI (Paravirtualized SCSI) controller

  • CVE-2025-41239: Information disclosure bug in VMware Tools for Windows

• VMware released updated software to address all four vulnerabilities

• Patch availability: No workarounds provided, users must install updated software

• Importance of keeping software up-to-date and patching known vulnerabilities highlighted

VMware has recently taken steps to address four zero-day vulnerabilities that were exploited during the 2025 Pwn2Own Berlin hacking contest. The vulnerabilities, tracked as CVE-2025-41236, CVE-2025-41237, and CVE-2025-41238, were found in VMware ESXi, Workstation, and Fusion, respectively, and were used by security researchers to gain unauthorized access to virtual machines.

The first vulnerability, CVE-2025-41236, is an integer-overflow bug in the VMXNET3 virtual network adapter. Nguyen Hoang Thach of STARLabs SG exploited this flaw at Pwn2Own, allowing him to execute commands on the host machine as if they were part of the guest virtual machine. This type of vulnerability is particularly concerning, as it can be used by an attacker to gain control over a system even if they do not have physical access to it.

The second vulnerability, CVE-2025-41237, is an integer-underflow bug in the VMCI (Virtual Machine Communication Interface). Corentin BAYET of REverse Tactics exploited this flaw at Pwn2Own, allowing him to execute commands on the host machine as if they were part of the guest virtual machine. This type of vulnerability can also be used by an attacker to gain control over a system even if they do not have physical access to it.

The third vulnerability, CVE-2025-41238, is a heap-overflow bug in the PVSCSI (Paravirtualized SCSI) controller. Thomas Bouzerar and Etienne Helluy-Lafont of Synacktiv exploited this flaw at Pwn2Own, allowing them to execute code as the virtual machine's VMX process running on the host machine. This type of vulnerability is particularly concerning, as it can be used by an attacker to gain control over a system even if they do not have physical access to it.

The fourth vulnerability, CVE-2025-41239, is an information disclosure bug in VMware Tools for Windows. Corentin BAYET of REverse Tactics exploited this flaw at Pwn2Own, allowing him to obtain sensitive information about the host machine and the virtual machines running on it. This type of vulnerability can be used by an attacker to gather intelligence about a system before attempting to exploit it.

In response to these vulnerabilities, VMware has released new versions of its ESXi, Workstation, Fusion, and Tools software that address all four bugs. However, the company has not provided any workarounds for these vulnerabilities, meaning that users will need to install the updated software in order to fix them.

It is worth noting that all four vulnerabilities were demonstrated as zero-days during the Pwn2Own Berlin 2025 hacking contest, where security researchers collected $1,078,750 after exploiting 29 zero-day vulnerabilities. This highlights the importance of keeping software up-to-date and patching known vulnerabilities in a timely manner.

VMware has not provided any further information about when it plans to release patches for these vulnerabilities or what additional steps users can take to protect themselves from exploitation.

In addition to VMware, other companies have also been impacted by the Pwn2Own Berlin 2025 hacking contest. Mozilla fixed two zero-day vulnerabilities in Firefox that were exploited during the competition, while Ruckus Networks left several severe flaws unpatched in its management devices. Microsoft Teams voice calls were also abused by malware, and Google sued to disrupt a botnet that was infecting millions of devices.

In order to protect yourself from these types of vulnerabilities, it is essential to keep your software up-to-date and patch known vulnerabilities as soon as they are available. You should also be cautious when using virtual machines or other services that rely on software vulnerabilities.


Related Information:

• https://www.ethicalhackingnews.com/articles/VMware-Remedies-Four-Zero-Day-Vulnerabilities-Exploited-at-Pwn2Own-Berlin-ehn.shtml

• https://www.bleepingcomputer.com/news/security/vmware-fixes-four-esxi-zero-day-bugs-exploited-at-pwn2own-berlin/

• https://nvd.nist.gov/vuln/detail/CVE-2025-41236

• https://www.cvedetails.com/cve/CVE-2025-41236/

• https://nvd.nist.gov/vuln/detail/CVE-2025-41237

• https://www.cvedetails.com/cve/CVE-2025-41237/

• https://nvd.nist.gov/vuln/detail/CVE-2025-41238

• https://www.cvedetails.com/cve/CVE-2025-41238/

• https://nvd.nist.gov/vuln/detail/CVE-2025-41239

• https://www.cvedetails.com/cve/CVE-2025-41239/

Published: Thu Jul 17 21:15:37 2025 by llama3.2 3B Q4_K_M