The cyber security team at Broadcom has acknowledged that during the Pwn2Own hacking contest in Berlin in March, there were three successful attacks on the VMware hypervisor.
On March 16, Nguyen Hoang Thach, a security researcher from Star Labs, successfully exploited VMware ESXi. “This is the first time VMware ESXi was exploited in the Pwn2Own hacking event,” Praveen Singh and Monty Ijzerman, from the product security and incident response team in the VMware Cloud Foundation division of Broadcom, wrote on the company’s website.
This is something that has not been achieved before, according to a LinkedIn post by Bob Carver, CEO of Cybersecurity Boardroom.
“This was the first time in Pwn2Own’s history, stretching back to 2007, that the hypervisor has been successfully exploited,” he wrote, adding that the hacker was able to deploy a single integer overflow exploit.
Singh and Ijzerman also noted that on 17 March, Corentin Bayet, chief technology officer of Reverse Tactics, successfully exploited ESXi by chaining two vulnerabilities. According to Singh and Ijzerman, one of the vulnerabilities used in the exploit was already known.
The third successful attack, also on 17 March, was run by Thomas Bouzerar and Etienne Helluy-Lafont, security experts from Synacktiv, who managed to successfully exploit the VMware workstation.
Singh and Ijzerman said the team at Broadcom were actively working on the remediation. “We plan to publish a VMware Security Advisory to provide information on updates for the affected products,” they said.
While Broadcom has so far committed to providing patches for zero-day exploits, its current strategy to move customers onto VMware Cloud Foundation subscription bundles may leave some VMware users with gaps in their security, especially if their support contract is up for renewal.
As Computer Weekly reported earlier this month, Broadcom informed customers it would no longer renew support contracts for VMware products purchased on a perpetual licence basis and that support would only continue for those that moved to a VMware subscription.
On 12 May, Broadcom issued a critical security advisory, CVE-2025-22249, which affects the Aria toolset. The Cybersecurity Centre for Belgium said that given the vulnerability requires user interaction, it could be exploited through a phishing attack if a VMware admin clicked on a malicious URL link.
“If the user is logged in to their VMware Aria Automation account, the threat actor could gain full control of their account and perform any actions the user has the rights to perform. The vulnerability has a severe impact to the confidentiality and low impact to the integrity of the affected systems,” it warned, urging VMware users to “patch immediately”.
Broadcom has issued patches for VMware Aria Automation 8.18.x and version 5.x and 4.x of VMware Cloud Foundation, but it has not provided any workarounds, which means those users running an older version of the tool remain at risk.
There are a number of reports that many VMware customers have been sent cease-and-desist emails from Broadcom regarding their perpetual VMware licenses, which demand removal of patches and bug fixes that they may have installed.
While details of the successful exploits of the VMware hypervisor have yet to be published, the patches are not yet available, and questions remain as to how widely these will be distributed.
