Multiple vulnerabilities impact VMware ESXi, Workstation, Fusion, and Tools. Tracked as CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, & CVE-2025-41239, successful exploitation of the vulnerabilities leads to remote code execution.
VMware ESXi is a hypervisor that allows users to create and manage virtual machines (VMs) on physical servers. It’s a key part of VMware’s infrastructure software suite.
VMware Workstation is a program that allows users to run multiple operating systems on a single computer. It’s a hypervisor that creates virtual machines (VMs) that run alongside the host machine.
VMware Fusion is a software hypervisor explicitly designed for macOS systems. It enables virtual machines with guest operating systems like Microsoft Windows, Linux, or macOS to run within the host macOS operating system.
CVE-2025-41236: VMXNET3 integer-overflow vulnerability
The vulnerability has a critical severity rating with a CVSSv3 base score of 9.3. The integer-overflow vulnerability exists in the VMXNET3 virtual network adapter. To exploit the vulnerability, an attacker must have local administrative privileges on a virtual machine with a VMXNET3 virtual network adapter. Upon successful exploitation, an attacker may achieve remote code execution on the host.
Note: Non-VMXNET3 virtual adapters are not affected by this vulnerability.
CVE-2025-41237: VMCI integer-underflow vulnerability
The vulnerability has a critical severity rating with a CVSSv3 base score of 9.3. The integer-underflow flaw exists in VMCI (Virtual Machine Communication Interface) and could lead to an out-of-bounds write. An attacker must have local administrative privileges on a virtual machine to exploit the vulnerability. An attacker may exploit the vulnerability to execute code as the virtual machine’s VMX process running on the host.
On ESXi, the exploitation is contained within the VMX sandbox, whereas on Workstation and Fusion, exploitation of the flaw may lead to code execution on the machine where Workstation or Fusion is installed.
CVE-2025-41238: PVSCSI heap-overflow vulnerability
The vulnerability has a critical severity rating with a CVSSv3 base score of 9.3. The heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller leads to an out-of-bounds write. An attacker must have local administrative privileges on a virtual machine to exploit the vulnerability. An attacker may exploit the vulnerability to execute code as the virtual machine’s VMX process runs on the host.
On ESXi, the exploitation is contained within the VMX sandbox and is exploitable only with unsupported configurations. On Workstation and Fusion, exploitation of the law may lead to code execution on the machine where Workstation or Fusion is installed.
CVE-2025-41239: vSockets information-disclosure vulnerability
The information disclosure vulnerability originates from the use of an uninitialized memory in vSockets. An attacker must have local administrative privileges on a virtual machine to exploit the vulnerability. Successful exploitation of the vulnerability may lead to a memory leak from processes communicating with vSockets.
Affected Products
- VMware Cloud Foundation
- VMware vSphere Foundation
- VMware ESXi
- VMware Workstation Pro
- VMware Fusion
- VMware Tools
- VMware Telco Cloud Platform
- VMware Telco Cloud Infrastructure
Affected versions
- VMware Fusion 13.0.x versions before 13.6.4
- VMware Workstation 17.0.x versions before 17.6.4
- VMware ESXi 8.0.x versions before ESXi80U2e-24789317
- VMware ESXi 7.0.x versions before ESXi70U3w-24784741
Mitigation
Users must upgrade to the following versions to patch the vulnerabilities:
- VMware Fusion version 13.6.4
- VMware Workstation version 17.6.4
- VMware ESXi version ESXi80U2e-24789317
- VMware ESXi version ESXi70U3w-24784741
For more information, please refer to the VMware Advisory (VMSA-2025-0013).
Qualys Detection
Qualys customers can scan their devices with QIDs 216348, 216349, 383581, and 383582 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
