Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Multiple Vulnerabilities in VMware Products

17 July 2025

Security updates have been released for multiple vulnerabilities affecting VMware products. Users and administrators are advised to update to the latest versions.

Background

Broadcom has released security updates to address multiple vulnerabilities (CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, and CVE-2025-41239) affecting VMware ESXi, Workstation, Fusion, and Tools.

Impact

  • CVE-2025-41236: Successful exploitation of an integer-overflow vulnerability in the VMXNET3 virtual network adapter could allow an attacker with local administrative privileges on a virtual machine  using this adapter to execute code on the host. The vulnerability has a CVSSv3 score of 9.3.

  • CVE-2025-41237: Successful exploitation of an integer-underflow vulnerability in VMCI (Virtual Machine Communication Interface) could allow an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox. On Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed. The vulnerability has a CVSSv3 score of 9.3.

  • CVE-2025-41238: Successful exploitation of a heap-overflow vulnerability in the PVSCSI (Paravirtualised SCSI) controller could allow an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox and exploitable only with configurations that are unsupported. On Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed. The vulnerability has a CVSSv3 score of 9.3.

  • CVE-2025-41239: Successful exploitation of an information disclosure vulnerability in vSockets could allow an attacker with local administrative privileges on a virtual machine to leak memory from processes communicating with vSockets. The vulnerability has a CVSSv3 score of 7.1.

Affected Products

The following VMware products are affected:    

  • VMware Cloud Foundation version 4.5.x

  • VMware vSphere Foundation version 9.0.0.0

  • VMware ESXi versions 8.0 and 7.0 

  • VMware Workstation version 17.x

  • VMware Fusion version 13.x

  • VMware Tools versions 13.x.x, 12.x.x, and 11.x.x

  • VMware Telco Cloud Platform versions 5.x, 4.x, 3.x, and 2.x

  • VMware Telco Cloud Infrastructure versions 3.x and 2.x 

Recommendations

Users and administrators of affected product versions are advised to update to the latest versions.

References

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877

https://nvd.nist.gov/vuln/detail/CVE-2025-41236

https://nvd.nist.gov/vuln/detail/CVE-2025-41237

https://nvd.nist.gov/vuln/detail/CVE-2025-41238

https://nvd.nist.gov/vuln/detail/CVE-2025-41239

Back to top