InfoSecBulletin Cybersecurity for mankind
Broadcom has urgently alerted about four serious vulnerabilities in VMware ESXi, Workstation, Fusion, and Tools, with CVSS scores up to 9.3. Reported by leading security researchers at Pwn2Own, these flaws present major risks to organizations using virtual infrastructure.
CVE-2025-41236 – Integer Overflow in VMXNET3 (CVSS 9.3)
Node.js Flaws Expose Windows Apps to Path Traversal & HashDoS Attacks
Broadcom fixes multiple vulnerabilities in VMware ESXi, Workstation, and Fusion
Oracle Patched 309 Vulnerabilities with 145 Remotely Exploitable Flaw
Microsoft Extends 365 Support Until 2028 with ESU Program
Meta’s $100B AI Push: Gigawatt-Size Data Centers Spark Water Crisis
4 vulns impact Gigabyte motherboards to UEFI malware bypassing Secure Boot
Wing FTP 2000+ Servers Exposed Online: Actively Exploiting
CVE-2025-7503 (CVSS 10)
Backdoor in popular IP Camera Allows Hackers Root Access
(CVE-2025-25257)
Patch Urgently! Exploits for pre-auth Fortinet FortiWeb RCE flaw released
GP launched appless ‘GP Shield’ to protect mobile for only 50 TK
A vulnerability in the VMXNET3 virtual network adapter in ESXi, Workstation, and Fusion allows local attackers with admin access to execute arbitrary code on the host system. Only VMs using the VMXNET3 adapter are affected, while other adapters remain secure.
CVE-2025-41237 – Integer Underflow in VMCI (CVSS 9.3)
A serious vulnerability in VMCI allows local attackers to write out-of-bounds and execute code as the VMX process, risking host compromise.
“On Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed,” Broadcom clarified.
CVE-2025-41238 – Heap Overflow in PVSCSI (CVSS 9.3)
A vulnerability in the PVSCSI controller allows attackers to write data outside the intended area and possibly run code on the host.
“On ESXi, the exploitation is contained within the VMX sandbox and exploitable only with configurations that are unsupported,” the advisory notes. However, Workstation and Fusion deployments are at higher risk.
CVE-2025-41239 – Information Disclosure in vSockets (CVSS 7.1):
This important-severity vulnerability comes from using memory that hasn’t been set up in the vSockets component, which can lead to data leakage from processes using virtual sockets.
“A malicious actor… may be able to exploit this issue to leak memory from processes,” Broadcom explained.
“Updates are available to remediate these vulnerabilities in affected Broadcom products,” the company announced, urging users to patch immediately.
