{
	"id": "70b74f56-2929-4946-bcfd-e2cf68ea3c85",
	"created_at": "2026-04-06T00:15:14.966166Z",
	"updated_at": "2026-04-10T03:20:47.03674Z",
	"deleted_at": null,
	"sha1_hash": "ebb09fdce8d7abdfc7a0f131f38ec723fa7af6b9",
	"title": "vcf-security-and-compliance-guidelines/security-advisories/vmsa-2025-0004 at main · vmware/vcf-security-and-compliance-guidelines",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63977,
	"plain_text": "vcf-security-and-compliance-guidelines/security-advisories/vmsa-2025-0004 at main · vmware/vcf-security-and-compliance-guidelines\r\nBy plankers\r\nArchived: 2026-04-05 23:40:10 UTC\r\nVMSA-2025-0004: Questions \u0026 Answers\r\nIntroduction\r\nOn March 4, 2025 Broadcom released a critical VMware Security Advisory (VMSA), VMSA-2025-0004,\r\naddressing security vulnerabilities found and resolved in VMware ESX regarding a mechanism where threat\r\nactors could access the hypervisor through a running virtual machine.\r\nThe advisory references patches applicable to all supported versions of VMware ESX. All customers should apply\r\nthese updates.\r\nThe VMSA will always be the source of truth for what products \u0026 versions are affected and proper patches to\r\nkeep your organization secure. This document is a corollary to the advisory and includes self-service information\r\nto help you and your organization decide how to respond.\r\nYou are affected if you are running any version of VMware ESX, VMware vSphere, VMware Cloud Foundation,\r\nor VMware Telco Cloud Platform prior to the versions listed as “fixed” in the VMSA. Please consult the VMSA\r\nitself for the definitive list of affected versions. If you have a question about whether you are affected it is\r\nprobable that you are, and should take action immediately.\r\nIf you are experiencing issues with the Broadcom Support Portal please see the section below entitled \"I\r\ncurrently have an active entitlement however I cannot see all the fixed versions relating to the VMSA\" for more\r\ninformation.\r\nCurrent Update\r\nUpdated on March 6, 2025 at 0815 PST (-0800)\r\nNext Expected Update\r\nThere is not a regular update schedule for this document; it will be updated as needed.\r\nRelevant Links\r\nhttps://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004\r\nPage 1 of 6\n\nVMware Security Advisory VMSA-2025-0004 (the security advisory itself)\r\nVMSA-2025-0004 Questions \u0026 Answers (this document’s shortened ink)\r\nvSphere Security Configuration \u0026 Hardening Guides (the reference for hardening VMware vSphere, virtual\r\nmachines, and in-guest settings like VMware Tools)\r\nVMware Cloud Foundation Security Advisories (list of all disclosed security vulnerabilities)\r\nVMware Security Advisory Mailing List (please subscribe for proactive notifications of security advisories)\r\nVMware Ports \u0026 Protocols \u0026 VMware vSphere Firewalling Helper (assistance in determining ingress \u0026 egress\r\nfirewall rule sets)\r\nVMware vSphere Critical Patch Downloads (support.broadcom.com)\r\nQuestions \u0026 Answers\r\nWho does this affect?\r\nYou are affected if you are running any version of VMware ESX, VMware vSphere, VMware Cloud Foundation,\r\nor VMware Telco Cloud Platform prior to the versions listed as “fixed” in the VMSA.\r\nFor a definitive list of affected versions, please refer to the VMSA directly. If there is any uncertainty about\r\nwhether a system is affected, it should be presumed vulnerable, and immediate action should be taken.\r\nWhen do I need to act?\r\nThese issues would qualify under ITIL methodologies as an emergency change, requiring prompt action from your\r\norganization. However, the specific response timing depends on your unique circumstances. It is advisable to\r\nconsult immediately with your organization’s information security staff. They will assess the situation and\r\ndetermine the most appropriate course of action for your specific organizational context.\r\nWhat should I do to protect myself?\r\nTo ensure full protection for yourself and your organization, install one of the update versions listed in the\r\nVMware Security Advisory.\r\nWhat products are affected?\r\nVMware ESX and any products that contain ESX, including VMware vSphere, VMware Cloud Foundation, and\r\nVMware Telco Cloud Platform.\r\nWhat CVE numbers are involved in these disclosures?\r\nCVE-2025-22224, CVE-2025-22225, and CVE-2025-22226\r\nWhat is the severity of the vulnerabilities?\r\n9.3, 8.2, and 7.1, scored using version 3.1 of the Common Vulnerability Scoring Standard (CVSS).\r\nAre there additional details about the vectors of the vulnerabilities?\r\nhttps://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004\r\nPage 2 of 6\n\nVMware Security Advisories link to the FIRST CVSS v3.1 calculator, with the vectors pre-filled for the individual\r\nvulnerabilities. This information is found in the ‘References’ section of the advisory.\r\nAre the vulnerabilities being exploited “in the wild?”\r\nBroadcom has information to suggest that exploitation of these issues has occurred “in the wild.”\r\nIs this a “VM Escape?”\r\nYes. This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained\r\nprivileged access (administrator or root) could move into the hypervisor itself.\r\nDo I have to update VMware vCenter?\r\nWhile it is recommended that vCenter be maintained at the latest patch levels, this advisory does not affect\r\nvCenter directly.\r\nDo I have to update VMware ESX?\r\nYes; ESX is affected by this VMSA.\r\nIs this patch eligible for Live Patch?\r\nNo; Although Live Patch was announced following the release of vSphere 8.0 Update 3, the nature of this\r\nparticular issue prevents the use of live patching.\r\nI currently have an active entitlement however I cannot see all the fixed versions relating to the\r\nVMSA.\r\nTo access a patch from any version, for example: 7 patch you must have a License Key of the same version to\r\nview and download. If the licenses on your site ID contain one version you will have to upgrade/downgrade\r\nlicenses to access another version. For more information relating to upgrading/downgrading licenses see Upgrade\r\nand Downgrade VMware License Keys\r\nDo I have to update SDDC Manager?\r\nNo; SDDC Manager is not affected by this VMSA.\r\nDo I have to update VMware Cloud Foundation Operations, Automation, or Aria Suite\r\ncomponents?\r\nNo; these components are not affected by this VMSA.\r\nDo I have to update VMware NSX?\r\nNo; NSX is not affected by this VMSA.\r\nhttps://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004\r\nPage 3 of 6\n\nWill there be a patch for VMware Cloud Foundation?\r\nYes, there is an asynchronous patch for supported versions of the VMware Cloud Foundation. Please follow the\r\ninstructions linked in the VMSA itself.\r\nWill there be a patch for VMware Telco Cloud Platform?\r\nVMware Telco Cloud Platform customers will need to update to a version of ESXi that contains the fixes, which\r\nmay necessitate moving to a newer version of VMware Telco Cloud Platform (TCP). For more details please\r\nconsult the instructions in the VMSA itself.\r\nAre there workarounds for these vulnerabilities?\r\nThere are no feasible workarounds for this situation.\r\nExploiting this vulnerability does require administrator/root privileges on a guest operating system, so there are\r\nother layers of defenses that can help if they are in place. There are no other meaningful workarounds that do not\r\ninvolve updating and restarting VMware ESX.\r\nFor assistance that is tailored to your environment and organization please contact your account team.\r\nIf I do not install VMware Tools am I safe?\r\nNo. An attacker with privileged access to your guest operating system can install and/or re-enable the VMware\r\nTools for you.\r\nDo I need to update VMware Tools?\r\nBroadcom recommends always maintaining VMware Tools at the most recent patch levels, but you do not need to\r\nupdate VMware Tools specifically as part of this advisory.\r\nWhat versions or builds are affected by these issues?\r\nYou are affected if you are running any version of ESX prior to the fixed versions listed in the VMSA. Please\r\nconsult the VMSA itself for the definitive list of affected versions. If you have a question about whether you are\r\naffected it is likely that you are, and should take action immediately.\r\nBroadcom always recommends applying the latest updates to all software products.\r\nHow do I check the build or version number of VMware ESX?\r\nThe build information is available in the Summary tab of the vSphere Client. It can also be easily queried with\r\nPowerCLI:\r\nGet-VMhost | Select-Object Name,Version,Build\r\nIf I update ESX will it affect running workloads?\r\nhttps://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004\r\nPage 4 of 6\n\nBroadcom recommends the use of vMotion to relocate virtual machines to alternate hosts while you update, in a\r\n“rolling reboot” fashion. Virtual machines that do not use vMotion will need to be powered down during the host\r\nrestart.\r\nAre there any known issues with this patch?\r\nThere are no known issues with the updates listed in VMSA-2025-0004.\r\nI am amidst an upgrade of my environment. Are there any concerns with applying this patch?\r\nThis patch is a “back in time” situation, and moving from vSphere 8 Update 2d to vSphere 8 Update 3 may result\r\nin security exposures. Consult the release notes for this update for more information, and ensure that, as part of\r\nyour upgrade process, you are also applying the latest patches to the upgraded environment.\r\nDoes this impact VMware vSphere 6.5 or 6.7?\r\nYes. A patch has been released for ESX 6.7 and is available via the Support Portal to all customers. ESX 6.5\r\ncustomers should use the extended support process for access to ESX 6.5 patches.\r\nProducts that are past their End of General Support dates are not evaluated as part of security advisories, and are\r\nnot listed in the official VMSA. Broadcom strongly encourages all customers using vSphere 6.5 and 6.7 to update\r\nto vSphere 8.\r\nDo I have to update to vSphere 8 Update 3 to receive this patch?\r\nYes. vSphere 8 Update 3 was released in July 2024 and is considered the best version of vSphere 8, intended for\r\nlong-term stability and support.\r\nDo I have to update to vSphere 7 Update 3 to receive this patch?\r\nYes. vSphere 7 Update 3 was released in January 2022 and is considered the best version of vSphere 7, intended\r\nfor long-term stability and support.\r\nI am using a third-party solution such as HPE SimpliVity, Dell EMC VxRail, and so on. Is it safe\r\nfor me to apply the update?\r\nThird-party engineered systems control their patch levels and configurations as part of their qualification and\r\ntesting processes. Using security guidance that is not explicitly for that product and product version is never\r\nadvised. If you use engineered and integrated solutions please contact those vendors directly for guidance.\r\nBroadcom is not involved in, and cannot speak to, third-party product release schedules.\r\n35. Are VMware Cloud and hosted products updated?\r\nVMSA information is delivered as a message inside hosted, cloud, and software-as-a-service products where\r\napplicable. Please check the administrative consoles of those services for further relevant messages and details\r\nhttps://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004\r\nPage 5 of 6\n\nabout this VMSA. Additional questions about the service should be answered through the support processes for\r\nthat service. Thank you.\r\nChange Log\r\nSpecific changes to this document can be easily tracked with GitHub's \"History\" and \"Blame\" functions (buttons\r\nabove).\r\nDisclaimer\r\nThis document is intended to provide general guidance for organizations that are considering Broadcom solutions.\r\nThe information contained in this document is for educational and informational purposes only. This document is\r\nnot intended to provide advice and is provided “AS IS.” Broadcom makes no claims, promises, or guarantees\r\nabout the accuracy, completeness, or adequacy of the information contained herein. Organizations should engage\r\nappropriate legal, business, technical, and audit expertise within their specific organization for review of\r\nrequirements and effectiveness of implementations.\r\nSource: https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004\r\nhttps://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004"
	],
	"report_names": [
		"vmsa-2025-0004"
	],
	"threat_actors": [],
	"ts_created_at": 1775434514,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ebb09fdce8d7abdfc7a0f131f38ec723fa7af6b9.pdf",
		"text": "https://archive.orkl.eu/ebb09fdce8d7abdfc7a0f131f38ec723fa7af6b9.txt",
		"img": "https://archive.orkl.eu/ebb09fdce8d7abdfc7a0f131f38ec723fa7af6b9.jpg"
	}
}