Pwn2Own VMware Hypervisor Escape and Privilege Escalation Vulnerabilities
Broadcom VMware issued fixes for multiple Pwn2Own-disclosed local privilege escalation flaws affecting ESXi and Workstation, where attackers with code execution inside a guest can potentially execute arbitrary code in the hypervisor context. The disclosed issues include CVE-2025-41236 in the VMXNET3 virtual device on ESXi, caused by an integer overflow; CVE-2025-41237 in VMCI on ESXi, caused by an integer underflow; and CVE-2025-41238 in the PVSCSI virtual device on Workstation, caused by improper validation of user-controlled length data leading to a heap-based buffer overflow. All three advisories assign a CVSS 8.2 score and describe the same exploitation precondition: the attacker must already be able to run high-privileged code on the guest OS.
The Aria Operations privilege-escalation research is a different VMware product issue and does not describe the same disclosure set. That separate report covers CVE-2025-41245 and CVE-2026-22721, where a vCenter user mapped by default to Aria’s PowerUser role could escalate to an Aria administrator and potentially gain access across integrated VMware environments. By contrast, the relevant Pwn2Own advisories focus specifically on guest-to-hypervisor escape paths in ESXi and Workstation, with Broadcom publishing updates through the same security advisory channel and crediting researchers from STAR Labs, Synacktiv, and REverse Tactics for the findings.
Timeline
Mar 16, 2026
VMware releases fixes and ZDI discloses three VMware virtualization flaws
On coordinated disclosure, ZDI published advisories for CVE-2025-41236 and CVE-2025-41237 affecting VMware ESXi and CVE-2025-41238 affecting VMware Workstation. VMware issued updates to remediate the guest-to-hypervisor escape vulnerabilities, which were disclosed following Pwn2Own reporting.
May 23, 2025
VMware receives report of ESXi VMCI hypervisor escape flaw
Corentin "@OnlyTheDuck" Bayet of REverse Tactics reported a VMware ESXi local privilege escalation vulnerability in the VMCI implementation, later assigned CVE-2025-41237, to VMware.
May 21, 2025
VMware receives report of ESXi VMXNET3 hypervisor escape flaw
Nguyen Hoang Thach of STAR Labs SG Pte. Ltd. reported a VMware ESXi local privilege escalation vulnerability in the VMXNET3 virtual device, later assigned CVE-2025-41236, to VMware through the Pwn2Own process.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Broadcom Patches VMware Aria Operations Flaws Enabling RCE During Support-Assisted Migrations
Broadcom issued advisory **VMSA-2026-0001** for **VMware Aria Operations** (formerly *vRealize Operations*), warning of three vulnerabilities affecting Aria Operations and bundled platforms including **VMware Cloud Foundation** and **VMware Telco Cloud**. The most severe issue, **CVE-2026-22719** (CVSS 8.1), is a **command injection** flaw that can be exploited by an **unauthenticated** attacker to execute arbitrary commands and potentially achieve **remote code execution** specifically **while a support-assisted product migration is in progress**. Broadcom released patches and also documented a workaround for CVE-2026-22719 in its response matrix/KB guidance. The advisory also covers **CVE-2026-22720** (CVSS 8.0), a **stored XSS** issue where a user with privileges to create custom benchmarks can inject script to perform administrative actions, and **CVE-2026-22721** (CVSS 6.2), a **privilege escalation** path where a user with vCenter access to Aria Operations can elevate to administrative control. Researchers **Sven Nobis** and **Lorin Lehawany** of **ERNW** were credited with reporting at least part of the findings. Impacted deployments include Aria Operations 8.x and related bundles across Cloud Foundation and Telco Cloud product lines; Broadcom’s fixed versions include updates such as Aria Operations **8.18.6** and Cloud Foundation **9.0.2.0**, and organizations are advised to prioritize upgrades due to the lack of workarounds for the XSS and privilege-escalation issues.
1 months ago
Active Exploitation of Critical RCE Vulnerabilities in Enterprise Infrastructure (Cisco UC and VMware vCenter)
Reports warn of **in-the-wild exploitation** of critical remote code execution vulnerabilities affecting widely deployed enterprise infrastructure. One report describes a purported Cisco Unified Communications zero-day, **CVE-2024-20253**, impacting *Cisco Unified Communications Manager (Unified CM)*, *Cisco Unity Connection*, and *Webex Calling Dedicated Instance*, and claims it enables **unauthenticated command execution** via the web management interface, creating risk of full system compromise and rapid opportunistic scanning of internet-exposed instances. Separately, **CISA added Broadcom VMware vCenter Server CVE-2024-37079** (CVSS 9.8) to the **Known Exploited Vulnerabilities (KEV)** catalog based on evidence of exploitation; the issue is described as a **DCE/RPC heap overflow** that can lead to RCE via specially crafted network packets, and Broadcom updated its advisory to acknowledge observed exploitation. A third item (Rapid7’s Metasploit wrap-up) is not about either of these active-exploitation advisories; it covers new Metasploit modules for unrelated vulnerabilities (e.g., Oracle E-Business Suite **CVE-2025-61882** and Splunk issues), which may increase general exploitation capability but does not substantively corroborate the Cisco or VMware events.
1 months ago
Critical RCE Flaws Disclosed in Ivanti CSA and VMware vCenter
Critical vulnerabilities were disclosed in **Ivanti Cloud Services Application (CSA)** and **VMware vCenter Server** products, exposing enterprise management platforms to remote compromise. Ivanti said CSA `5.0.2` and earlier contain three flaws—`CVE-2024-11639`, `CVE-2024-11772`, and `CVE-2024-11773`—that can enable authentication bypass, remote code execution, and arbitrary SQL query execution through the administrator browser console, with the most severe issues rated **CVSS 10.0**. Ivanti released fixes in CSA `5.0.3` and urged customers to update immediately. VMware also disclosed two vulnerabilities affecting **vCenter Server** and **VMware Cloud Foundation**: `CVE-2024-38812`, a heap overflow that can allow arbitrary code execution, and `CVE-2024-38813`, which can enable privilege escalation to root. The flaws affect vCenter Server `7.0` and `8.0` as well as VMware Cloud Foundation `4.x` and `5.x`, and can be exploited remotely over the network using specially crafted packets. In both vendor notices, no active exploitation had been confirmed at the time of disclosure, but organizations and service providers were advised to apply vendor-fixed versions without delay because successful attacks could result in full administrative compromise.
1 weeks ago