There was a disturbance in the enterprise security world, and it started with a Pwn2Own Berlin. [Khoa Dinh] and the team at Viettel Cyber Security discovered a pair of vulnerabilities …read more

Mike Kiev - Fotolia News Hacking contest exposes VMware security In what has been described as a historical first, hackers in Berlin have been able to demo successful attacks on the ESXi hypervisor By Cliff Saran, Managing Editor Published: 20 May 2025 16:30 The cyber security team at Broadcom has acknowledged that during the Pwn2Own hacking contest in Berlin in March, there were three successful attacks on the VMware hypervisor.  On March 16, Nguyen Hoang Thach, a security researcher from Star Labs, successfully exploited VMware ESXi. “This is the first time VMware ESXi was exploited in the Pwn2Own hacking event,” Praveen Singh and Monty Ijzerman, from the product security and incident response team in the VMware Cloud Foundation division of Broadcom, wrote on the company’s website.  This is something that has not been achieved before, according to a LinkedIn post by Bob Carver, CEO of Cybersecurity Boardroom. “This was the first time in Pwn2Own’s history, stretching back to 2007, that the hypervisor has been successfully exploited,” he wrote, adding that the hacker was able to deploy a single integer overflow exploit. Singh and Ijzerman also noted that on 17 March, Corentin Bayet, chief technology officer of Reverse Tactics, successfully exploited ESXi by chaining two vulnerabilities. According to Singh and Ijzerman, one of the vulnerabilities used in the exploit was already known. The third successful attack, also on 17 March, was run by Thomas Bouzerar and Etienne Helluy-Lafont, security experts from Synacktiv, who managed to successfully exploit the VMware workstation. Singh and Ijzerman said the team at Broadcom were actively working on the remediation. “We plan to publish a VMware Security Advisory to provide information on updates for the affected products,” they said. Read more VMware stories No workaround leads to more pain for VMware users: There are patches for the latest batch of security alerts from Broadcom, but VMware users on perpetual licences may not have access. VMware patches put spotlight on support: Recent security updates in VMware products have highlighted the challenge IT decision-makers face as they navigate Broadcom licensing changes. While Broadcom has so far committed to providing patches for zero-day exploits, its current strategy to move customers onto VMware Cloud Foundation subscription bundles may leave some VMware users with gaps in their security, especially if their support contract is up for renewal. As Computer Weekly reported earlier this month, Broadcom informed customers it would no longer renew support contracts for VMware products purchased on a perpetual licence basis and that support would only continue for those that moved to a VMware subscription. On 12 May, Broadcom issued a critical security advisory, CVE-2025-22249, which affects the Aria toolset. The Cybersecurity Centre for Belgium said that given the vulnerability requires user interaction, it could be exploited through a phishing attack if a VMware admin clicked on a malicious URL link. “If the user is logged in to their VMware Aria Automation account, the threat actor could gain full control of their account and perform any actions the user has the rights to perform. The vulnerability has a severe impact to the confidentiality and low impact to the integrity of the affected systems,” it warned, urging VMware users to “patch immediately”. Broadcom has issued patches for VMware Aria Automation 8.18.x and version 5.x and 4.x of VMware Cloud Foundation, but it has not provided any workarounds, which means those users running an older version of the tool remain at risk. There are a number of reports that many VMware customers have been sent cease-and-desist emails from Broadcom regarding their perpetual VMware licenses, which demand removal of patches and bug fixes that they may have installed. While details of the successful exploits of the VMware hypervisor have yet to be published, the patches are not yet available, and questions remain as to how widely these will be distributed. In The Current Issue: UK critical systems at risk from ‘digital divide’ created by AI threats UK at risk of Russian cyber and physical attacks as Ukraine seeks peace deal Standard Chartered grounds AI ambitions in data governance Download Current Issue Starburst chews into the fruits of agentic – CW Developer Network Calm settles over digital identity market - for now... (Hark, is that Big Tech on the horizon?) – Computer Weekly Editors Blog View All Blogs

May 19, 2025Ravie LakshmananBrowser Security / Vulnerability Mozilla has released security updates to address two critical security flaws in its Firefox browser that could be potentially exploited to access sensitive data or achieve code execution. The vulnerabilities, both of which were exploited as a zero-day at Pwn2Own Berlin, are listed below - CVE-2025-4918 - An out-of-bounds access vulnerability when resolving Promise objects that could allow an attacker to perform read or write on a JavaScript Promise object CVE-2025-4919 - An out-of-bounds access vulnerability when optimizing linear sums that could allow an attacker to perform read or write on a JavaScript object by confusing array index sizes In other words, successful exploitation of either of the flaws could permit an adversary to achieve out-of-bounds read or write, which could then be abused to access otherwise sensitive information or result in memory corruption that could pave the way for code execution. The vulnerabilities affect the following versions of the Firefox browser - All versions of Firefox before 138.0.4 (including Firefox for Android) All versions of Firefox Extended Support Release (ESR) before 128.10.1 All versions of Firefox ESR before 115.23.1 Edouard Bochin and Tao Yan from Palo Alto Networks have been credited with finding and reporting CVE-2025-4918. The discovery of CVE-2025-4919 has been credited to Manfred Paul. It's worth noting that both shortcomings were demonstrated at the Pwn2Own Berlin hacking contest last week for which they were awarded $50,000 each. With web browsers continuing to be an attractive vector for malware delivery, users are advised to update their instances to the latest version to safeguard against potential threats. "Neither of the attacks managed to break out of our sandbox, which is required to gain control over the user's system," Mozilla said in a statement. "Despite the limited impact of these attacks, all users and administrators are advised to update Firefox as soon as possible." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    