VMware Patches Critical Vulnerabilities in Virtualization Products

The security updates address flaws that could allow attackers to escape virtual machines and compromise host systems.

VMware has released patches for four critical vulnerabilities in its virtualization products, including discontinued ones, after security flaws were discovered that could allow attackers to escape the virtual machine environment and execute malicious actions on the host system.
The vulnerabilities, identified as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255, affect VMware ESXi, Workstation Pro/Player, Fusion Pro/Fusion, and Cloud Foundation products.
Updates and patches are available for affected products, and VMware also provides instructions for a workaround involving the removal of USB controllers from virtual machines to prevent exploitation.
Some of the vulnerabilities were discovered by researchers at the 2023 Tianfu Cup Pwn Contest in China, highlighting the global effort to identify and mitigate cybersecurity threats.
VMware urges customers to apply the security updates promptly to protect their systems, emphasizing the critical nature of the vulnerabilities and the potential risks to virtual machine isolation and host system security.