Urgent Security Update: Critical VMware Flaws Patched in Workstation and Fusion
Broadcom has released critical security updates to address four significant vulnerabilities in VMware Workstation and Fusion, some of which could allow an attacker to escape a virtual machine (VM) and execute malicious code on the host operating system. These flaws were successfully demonstrated by security researchers during the recent Pwn2Own Berlin 2024 hacking competition.
The vulnerabilities affect popular virtualization software used by millions of IT professionals and developers worldwide. A “VM escape” is considered one of the most severe types of virtualization security failures, as it breaks the fundamental isolation between the guest operating system and the host machine, potentially exposing the host to a complete takeover.
If you are using VMware Workstation or Fusion, it is crucial to apply these security patches immediately to protect your systems from potential exploitation.
The Critical Vulnerabilities Explained
The security advisory details four distinct vulnerabilities, two of which are rated as critical with a CVSS score of 9.3 out of 10. These flaws pose a direct threat to the host system’s integrity.
Here is a breakdown of the patched vulnerabilities:
CVE-2024-22252 & CVE-2024-22253 (CVSS Score: 9.3 – Critical): These are both use-after-free vulnerabilities found in the XHCI and UHCI USB controllers, respectively. An attacker who has already gained local administrative privileges on a guest VM could exploit these flaws to execute code on the host machine. These were the vulnerabilities that enabled a full VM escape during the Pwn2Own event.
CVE-2024-22254 (CVSS Score: 7.1 – High): This is an out-of-bounds write vulnerability within the shader functionality. While not rated as critical, successful exploitation could also lead to a VM escape, allowing an attacker to break out from the guest OS to the host.
CVE-2024-22255 (CVSS Score: 7.1 – High): This vulnerability is an information disclosure flaw located in the UHCI USB controller. An attacker could leverage this bug to leak memory from the host process to the guest virtual machine, potentially exposing sensitive data.
How to Protect Your Systems: Apply Patches Immediately
Broadcom has confirmed that the only way to remediate these vulnerabilities is to apply the latest updates. There are currently no known workarounds that can mitigate these security risks.
Users should update to the following patched versions as soon as possible:
- VMware Workstation Pro / Player (Windows, Linux): Update to version 17.5.1
- VMware Fusion Pro / Player (macOS): Update to version 13.5.1
These updates can typically be accessed through the software’s built-in update mechanism or downloaded directly from the official VMware portal. Prioritizing these patches is essential, especially for users running untrusted or publicly exposed virtual machines.
Why Virtualization Security is Paramount
Virtual machines are designed to provide a sandboxed environment, isolating applications and operating systems from the underlying host hardware. This isolation is a core security feature, preventing issues within a VM from affecting the host or other VMs.
A VM escape vulnerability shatters this illusion of security. If an attacker can break out of the guest environment, they can potentially:
- Access and steal sensitive data from the host machine.
- Install persistent malware or ransomware on the host.
- Move laterally across a network to compromise other systems.
- Disable host-level security controls.
The discovery of these flaws at a high-profile event like Pwn2Own underscores the constant pressure on virtualization platforms. Security researchers play a vital role in finding and reporting these issues responsibly, allowing vendors to develop patches before the exploits are used maliciously in the wild.
For all users of VMware Workstation and Fusion, the message is clear: do not delay. Update your software to the latest version to ensure your host systems and data remain secure.
Source: https://securityaffairs.com/180062/security/broadcom-patches-critical-vmware-flaws-exploited-at-pwn2own-berlin-2025.html
