Full Report
VMware fixed four vulnerabilities in VMware ESXi, Workstation, Fusion, and Tools that were exploited as zero-days during the Pwn2Own Berlin 2025 hacking contest in May 2025. [...]
Analysis Summary
# Vulnerability: VMware ESXi PVSCSI Out-of-Bounds Write and Information Disclosure Flaws Exploited at Pwn2Own
## CVE Details
- CVE ID: Multiple (Information explicitly names **CVE-2025-41239** for information disclosure, and implies other CVEs for the exploited bugs, likely including **CVE-2025-41237** mentioned in chaining)
- CVSS Score: **7.1** (For CVE-2025-41239 - High/Medium depending on precise CVSS scale interpretation) (Severity for the primary RCE/OOB Write is not explicitly provided but is implied to be critical due to P2O exploitation)
- CWE: Not explicitly listed, but the primary flaw appears related to heap/buffer management (Out-of-Bounds Write).
## Affected Systems
- Products: VMware ESXi (Implied, as the bugs were exploited against ESXi zero-days)
- Versions: Not explicitly listed in the provided text.
- Configurations: Exploitation requires local administrative privileges on a running Virtual Machine (VM) for the primary write vulnerability. CVE-2025-41239 impacts VMware Tools for Windows when chained.
## Vulnerability Description
The primary vulnerability involves a flaw in the **PVSCSI (Paravirtualized SCSI) controller**. This flaw leads to an **out-of-bounds write**. A local administrative user inside a guest VM can leverage this vulnerability to execute arbitrary code as the VMX process running on the ESXi host.
A secondary noted vulnerability, **CVE-2025-41239**, is an **Information Disclosure** vulnerability impacting **VMware Tools for Windows**.
## Exploitation
- Status: **Exploited in the wild** (Demonstrated live zero-day exploitation at Pwn2Own Berlin 2025).
- Complexity: Exploitation chain involved at least two bugs (CVE-2025-41237 chained with CVE-2025-41239). Attacker needs initial local admin access in the VM.
- Attack Vector: Primarily **Local** within the scope of the VM to achieve Host execution/information disclosure.
## Impact
The impact of the primary PVSCSI flaw (leading to code execution in the VMX process) is severe:
- Confidentiality: High (Potential access to host memory/data)
- Integrity: High (Ability to alter host processes)
- Availability: High (Potential for denial of service or system compromise)
Impact for CVE-2025-41239 (Information Disclosure):
- Confidentiality: Medium/High (Disclosure of internal data)
## Remediation
### Patches
- Specific patch details are not provided in the text, but VMware has released fixes addressing these four zero-days. The text implies patches are available as of the bulletin release.
- Required fix for CVE-2025-41239 involves updating VMware Tools for Windows, which requires a separate upgrade process.
### Workarounds
- **None available** for the primary vulnerabilities; installation of the new versions is the only fix mentioned.
## Detection
- No specific Indicators of Compromise (IOCs) or detection signatures are detailed in this summary text.
- Detection would require monitoring ESXi host process anomalies, especially VMX process access patterns originating from VM requests related to SCSI operations, or monitoring outbound/inbound traffic related to the specific flawed components if the attack vector permits.
## References
- [Vendor advisories for VMSA-2025-0013](https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0013#17-are-the-fixed-vmware-tools-bundled-with-esx) (Note: Actual URL structure for advisories is unknown; this reference points to the section discussing tools.)
- [Vulnerability source article](https://www.bleepingcomputer.com/news/security/vmware-fixes-four-esxi-zero-day-bugs-exploited-at-pwn2own-berlin/)