US technology giant Broadcom warns that a trio of VMware vulnerabilities have been actively exploited by malicious hackers to compromise the network of corporate customers.
Three vulnerabilities, collectively referred to as “espageape” by one security researcher, affect VMware ESXI, workstations, and fusion. It is a widely used software hypervisor product that allows you to manage multiple virtual machines on a single server. Hypervisors are commonly used to reduce the need to take up space on physical servers.
Broadcom, which acquired VMware in 2023, said the vulnerability (tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) could allow Virtual Machine administrators or attackers with root privileges or attackers with root privileges to escape protected sandboxes.
Access to the hypervisor allows an attacker to access other virtual machines, including virtual systems owned by other companies in the same physical data center.
Broadcom says it has “information to suggest” that the vulnerability is being exploited in the wild.
“The impact here is enormous. Attackers who compromise a hypervisor can compromise other virtual machines that share the same hypervisor,” Stephen, Le Le Telligence Company Rapid7's leading security researcher, told TechCrunch.
Broadcom did not share details about the nature of the attack or the threat actors behind it, nor did it say whether customer data was accessed. A Broadcom spokesman did not respond to TechCrunch questions. Microsoft, which discovered and reported a Broadcom vulnerability, also did not respond to the reporting time.
Security researcher Kevin Beaumont said in a Mastodon post that the three vulnerabilities are being actively exploited by yet-known ransomware groups.
VMware's vulnerabilities are frequently targeted by ransomware groups, due to their ability to be exploited to compromise multiple servers during a single attack, considering that enterprise data that is often stored in these virtualized environment-sensitive.
In 2024, Microsoft discovered that several ransomware groups were leveraging the VMware hypervisor flaw in attacks that deploy Black Basta and Lockbit ransomware in data steal campaigns targeting corporate data. The previous year, a massive hacking campaign called “Esxiargs” was leveraging a vulnerability in VMware from two years ago, targeting thousands of organizations around the world.
Broadcom has released patches for three vulnerabilities: This is classified as a “zero-day” bug because it was exploited before the fix became available. Broadcom describes its security advisory as an “urgent” change, urging customers to apply patches as soon as possible.
Additionally, CISA, a US government cybersecurity agency, has warned federal agencies to patch bugs. This has been added to the execution catalog for vulnerabilities known to be under attack.