Vulnerability Update: VMWare ESXI, Pwn2Own & CISCO ISE
Critical Security Advisory: VMware ESXi Vulnerabilities Uncovered via Pwn2Own Berlin 2025
Overview
VMware disclosed four critical vulnerabilities (CVE-2025-41236 to CVE-2025-41239) affecting multiple products including ESXi, Workstation, Fusion, Tools, and Cloud Foundation.
These were discovered during the Pwn2Own Berlin 2025 contest and pose serious risks such as VM escape, host-level code execution, and information leakage.
Vulnerability Breakdown
CVE-2025-41236 – Integer Overflow in VMXNET3 Adapter
-
CVSS Score: 9.3
-
Impact: Allows a guest VM admin to execute arbitrary code on the host.
-
Risk: Critical in cloud, VDI, and MSP environments
CVE-2025-41237 – Integer Underflow in VMCI Device
-
CVSS Score: 9.3
-
Impact: Enables guest VM admin to run code as the VMX host process.
-
Risk: High risk of VM escape1.
CVE-2025-41238 – Heap Overflow in PVSCSI Controller
-
CVSS Score: 9.3
-
Impact: Code execution on host in certain configurations.
-
Risk: Major risk for misconfigured or legacy VMs 1.
CVE-2025-41239 – Uninitialised Memory in vSockets
-
CVSS Score: 7.1
-
Impact: Memory leakage from host to guest.
-
Risk: Medium, but notable in sensitive environments 2.
Affected VMware Products
-
VMware ESXi
-
VMware Workstation
-
VMware Fusion VMware Tools
-
VMware Cloud Foundation (ESX component)
-
VMware vSphere Foundation (ESX component)
-
VMware Telco Cloud Platform VMware Telco Cloud Infrastructure
Vulnerability Breakdown by Product
Recommendations
2 hours to patch version 8 or 4 hours to upgrade to the latest version of 9 with potential downtime.
Call Us on 01527 880088
Get in Touch Online
Featured blogs
Is Your Business Ready for Windows 10 End-of-Life?
Prepare for the future: upgrade to Windows 11 Pro before Windows 10 reaches End of Life!
Read more
.jpg)
Microsoft OneDrive Update is a Risk to Business
Microsoft's new OneDrive feature could risk business data security by syncing with personal accounts. Implement preventative policies before the June rollout.
Read more
.jpg)
Technical Drive Achieves ISO 27001, ISO 9001, and Cyber Essentials Re-certification
Technical Drive proudly announces the re-certification of ISO 27001, ISO 9001, and Cyber Essentials, underscoring our commitment to quality, security, and excellence.
Read more
.jpg)
40km, 5 Teammates, 1 Amazing Cause! The Technical Drive Canoe Highlights
On 7th June, Adam, Sam, Ben, Amy and Elizabeth from our Technical Drive team completed a 40km walk-and-canoe challenge for SMA UK’s ’40 for 40’ campaign.
Read more
Discover the benefits for your business of upgrading to Windows 11
Support ends for Windows 10 soon, now is the perfect time to upgrade your PCs and laptops to Windows 11
Read more
.jpg)
From Audit to Agreement: How Small Businesses Are Being Misled by Telecom Sales
Small businesses are being caught in costly, long-term phone contracts due to misleading sales tactics. Learn how to spot the risks and protect your business.
Read more
Email sign up
As your Managed IT Service Partner, we take responsibility to proactively help you drive your business forward through technology. With our fast, responsive, and strategic team we can digitally transform organisations to drive productivity, profitability, and success. Sign up to receive helpful advice and industry news that could affect your IT, data storage and communications.
Get in touch
Is your current company not performing, not being proactive, not getting value for money? Or perhaps you have an urgent problem?