Article Details

VMware fixes four ESXi zero-day bugs exploited at Pwn2Own Berlin. VMware fixed four vulnerabilities in VMware ESXi, Workstation, Fusion, and Tools that were exploited as zero-days during the Pwn2Own Berlin 2025 hacking contest in May 2025. Three of the patched flaws have a severity rating of 9.3, as they allow programs running in a guest virtual machine to execute commands on the host. These flaws are tracked as CVE-2025-41236, CVE-2025-41237, and CVE-2025-41238. These flaws are described in the security advisory as: The fourth flaw, tracked as CVE-2025-41239, received a 7.1 rating as it is an information disclosure. It was also discovered by Corentin BAYET of REverse Tactics, who chained with CVE-2025-41237 during the hacking contest. VMware has not provided any workarounds, and the only way to fix these vulnerabilities is to install the new versions of the software. It should be noted that CVE-2025-41239 impacts VMware Tools for Windows, which requires a different upgrade process. These vulnerabilities were demonstrated as zero-days during the Pwn2Own Berlin 2025 hacking contest, where security researchers collected $1,078,750 after exploiting 29 zero-day vulnerabilities. Cloud Detection & Response for Dummies Contain emerging threats in real time - before they impact your business. Learn how cloud detection and response (CDR) gives security teams the edge they need in this practical, no-nonsense guide.