VMware has launched patches to tackle four security flaws impacting ESXi, Workstation, and Fusion, which includes two critical flaws that could lead to code execution.
Tracked as CVE-2024-22252 and CVE-2024-22253, the vulnerabilities have been explained as use-right after-free bugs in the XHCI USB controller. They have a CVSS rating of 9.3 for Workstation and Fusion, and 8.4 for ESXi methods.
“A malicious actor with nearby administrative privileges on a digital device may exploit this issue to execute code as the virtual machine’s VMX approach jogging on the host,” the enterprise said in a new advisory.

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“On ESXi, the exploitation is contained inside the VMX sandbox whilst, on Workstation and Fusion, this may direct to code execution on the equipment the place Workstation or Fusion is installed.”
Many security researchers affiliated with the Ant Team Gentle-Calendar year Security Lab and QiAnXin have been credited with independently discovering and reporting CVE-2024-22252. Security scientists VictorV and Wei have been acknowledged for reporting CVE-2024-22253.
Also patched by the Broadcom-owned virtualization expert services supplier are two other shortcomings –
- CVE-2024-22254 (CVSS rating: 7.9) – An out-of-bounds generate vulnerability in ESXi that a destructive actor with privileges within just the VMX approach could exploit to cause a sandbox escape.
- CVE-2024-22255 (CVSS rating: 7.9) – An information and facts disclosure vulnerability in the UHCI USB controller that an attacker with administrative access to a digital equipment may possibly exploit to leak memory from the vmx course of action.
The issues have been dealt with in the next variations, including people that have reached stop-of-everyday living (EoL) because of to the severity of these issues –
- ESXi 6.5 – 6.5U3v
- ESXi 6.7 – 6.7U3u
- ESXi 7. – ESXi70U3p-23307199
- ESXi 8. – ESXi80U2sb-23305545 and ESXi80U1d-23299997
- VMware Cloud Foundation (VCF) 3.x
- Workstation 17.x – 17.5.1
- Fusion 13.x (macOS) – 13.5.1
As a short-term workaround till a patch can be deployed, shoppers have been requested to take out all USB controllers from the virtual device.
“In addition, digital/emulated USB units, this sort of as VMware virtual USB adhere or dongle, will not be available for use by the digital device,” the business claimed. “In contrast, the default keyboard/mouse as enter units are not influenced as they are, by default, not connected by USB protocol but have a driver that does computer software system emulation in the guest OS.”
Uncovered this posting exciting? Follow us on Twitter and LinkedIn to examine more exclusive content material we write-up.
Some pieces of this short article are sourced from:
thehackernews.com