Connect with us

Hi, what are you looking for?


Malware & Threats

VMware Patches Critical ESXi Sandbox Escape Flaws

The most serious flaws allow hackers with local admin rights to execute code as the virtual machine’s VMX process running on the host.

VMware vulnerability

Virtualization technology vendor VMware on Tuesday rolled out urgent patches for critical-severity flaws in the enterprise-facing ESXi, Workstation, Fusion and Cloud Foundation products.

The company documented four vulnerabilities and warned that the most serious bugs could allow a malicious actor with local admin privileges on a virtual machine to execute code as the virtual machine’s VMX process running on the host.

Two of the four bugs carry a CVSS severity score of 9.3 out of 10 and, because of the increased risk to organizations, VMware is pushing out fixes even for some end-of-life products.

VMware described the issues as a pair of use-after-free memory corruption vulnerabilities in the XHCI USB controller (CVE-2024-22252 and CVE-2024-22253) that can be combined to escape sandbox mitigations.

“On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed,” VMware warned

VMware also acknowledged an ESXi out-of-bounds write vulnerability that could lead to a sandbox escape exploit and an information disclosure vulnerability in the UHCI USB controller that could be exploited to leak memory from the vmx process.  

Related: VMware vCenter Flaw So Critical, End-of-Life Products Patched

Related: Exploit Code Released for Critical VMware Security Defect

Advertisement. Scroll to continue reading.

Related: Code Execution Vulnerabilities in VMware vCenter Server

Related: VMware Confirms Live Exploits Hitting Just-Patched Vuln

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.