Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Critical Vulnerabilities in VMware Products
Alerts

Critical Vulnerabilities in VMware Products

7 March 2024

VMware has released security updates addressing two critical vulnerabilities (CVE-2024-22252 and CVE-2024-22253) in their ESXi, Workstation, Fusion, and Cloud Foundation products.

The vulnerabilities are:

  • CVE-2024-22252 – A use-after-free vulnerability in the XHCI USB controller may allow an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine’s VMX process runs on the host.

  • CVE-2024-22253 – A use-after-free vulnerability in the UHCI USB controller may allow an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine’s VMX process runs on the host.

On VMware ESXi, successful exploitation of the vulnerabilities is contained within the VMX sandbox. However, on VMware Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

The vulnerabilities affect the following products:

  • VMware ESXi

  • VMware Workstation Pro / Player

  • VMware Fusion Pro / Fusion

  • VMware Cloud Foundation

Users and administrators of the affected products are advised to update to the latest versions immediately.

Users and administrators who are unable to update their affected products immediately are advised to remove all USB controllers from the Virtual Machine as a workaround.

More information is available here:

https://www.vmware.com/security/advisories/VMSA-2024-0006.html

https://kb.vmware.com/s/article/96682

https://www.securityweek.com/vmware-patches-critical-esxi-sandbox-escape-flaws/

Back to top