U.S. technology giant Broadcom is warning that a trio of VMware vulnerabilities are being actively exploited by malicious hackers to compromise the networks of its corporate customers.
The three vulnerabilities — collectively dubbed “ESXicape” by one security researcher — affect VMware ESXi, Workstation, and Fusion, which are widely used software hypervisor products that allow multiple virtual machines to be managed on a single server. Hypervisors are commonly used to reduce the need to take up physical server space.
Broadcom, which acquired VMware in 2023, said that the vulnerabilities (tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) could allow an attacker with administrator or root privileges on a virtual machine to escape its protected sandbox and gain broader unauthorized access to the underlying hypervisor product.
With access to the hypervisor, an attacker can gain access to any other virtual machine, including virtual systems owned by other companies within the same physical data center.
Broadcom says it has “information to suggest” that the vulnerabilities have been exploited in the wild.
“The impact here is huge, an attacker who has compromised a hypervisor can go on to compromise any of the other virtual machines that share the same hypervisor,” Stephen Fewer, principal security researcher at threat intelligence company Rapid7, told TechCrunch.
Broadcom did not share any details about the nature of the attacks or the threat actors behind them and did not say whether any customer data had been accessed. A spokesperson for Broadcom did not respond to TechCrunch’s questions. Microsoft, which discovered and reported the vulnerabilities to Broadcom, also didn’t respond by press time.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Security researcher Kevin Beaumont said in a post on Mastodon that the three vulnerabilities are actively being exploited by an as-yet-unnamed ransomware group.
VMware vulnerabilities are frequently targeted by ransomware groups due to their ability to be exploited to compromise multiple servers during a single attack, and given that sensitive corporate data is often stored in these virtualized environments.
Microsoft discovered in 2024 that multiple ransomware groups were exploiting a VMware hypervisor flaw in attacks deploying Black Basta and LockBit ransomware in data-stealing campaigns targeting corporate data. The previous year, a large-scale hacking campaign, dubbed “ESXiArgs,” saw ransomware groups exploit a two-year-old VMware vulnerability to target thousands of organizations worldwide.
Broadcom has released patches for the three vulnerabilities, which are classed as “zero-day” bugs due to the fact they were exploited before a fix was made available. Broadcom described its security advisory as an “emergency” change and is urging customers to apply the patches as soon as possible.
U.S. government cybersecurity agency CISA is also warning federal agencies to patch against the bugs, which it has added to its running catalog of vulnerabilities known to be under attack.
