English
Arabic
French
Spanish
Portuguese
Deutsch
Turkish
Dutch
Italiano
Russian
Romaian
Portuguese (Brazil)
Greek
Hacking contest exposes VMware security
Mike Kiev - Fotolia
News
Hacking contest exposes VMware security
In what has been described as a historical first, hackers in Berlin have been able to demo successful attacks on the ESXi hypervisor
By
Cliff Saran,
Managing Editor
Published: 20 May 2025 16:30
The cyber security team at Broadcom has acknowledged that during the Pwn2Own hacking contest in Berlin in March, there were three successful attacks on the VMware hypervisor.
On March 16, Nguyen Hoang Thach, a security researcher from Star Labs, successfully exploited VMware ESXi. “This is the first time VMware ESXi was exploited in the Pwn2Own hacking event,” Praveen Singh and Monty Ijzerman, from the product security and incident response team in the VMware Cloud Foundation division of Broadcom, wrote on the company’s website.
This is something that has not been achieved before, according to a LinkedIn post by Bob Carver, CEO of Cybersecurity Boardroom.
“This was the first time in Pwn2Own’s history, stretching back to 2007, that the hypervisor has been successfully exploited,” he wrote, adding that the hacker was able to deploy a single integer overflow exploit.
Singh and Ijzerman also noted that on 17 March, Corentin Bayet, chief technology officer of Reverse Tactics, successfully exploited ESXi by chaining two vulnerabilities. According to Singh and Ijzerman, one of the vulnerabilities used in the exploit was already known.
The third successful attack, also on 17 March, was run by Thomas Bouzerar and Etienne Helluy-Lafont, security experts from Synacktiv, who managed to successfully exploit the VMware workstation.
Singh and Ijzerman said the team at Broadcom were actively working on the remediation. “We plan to publish a VMware Security Advisory to provide information on updates for the affected products,” they said.
VMware stories
No workaround leads to more pain for VMware users: There are patches for the latest batch of security alerts from Broadcom, but VMware users on perpetual licences may not have access.
VMware patches put spotlight on support: Recent security updates in VMware products have highlighted the challenge IT decision-makers face as they navigate Broadcom licensing changes.
While Broadcom has so far committed to providing patches for zero-day exploits, its current strategy to move customers onto VMware Cloud Foundation subscription bundles may leave some VMware users with gaps in their security, especially if their support contract is up for renewal.
As Computer Weekly reported earlier this month, Broadcom informed customers it would no longer renew support contracts for VMware products purchased on a perpetual licence basis and that support would only continue for those that moved to a VMware subscription.
On 12 May, Broadcom issued a critical security advisory, CVE-2025-22249, which affects the Aria toolset. The Cybersecurity Centre for Belgium said that given the vulnerability requires user interaction, it could be exploited through a phishing attack if a VMware admin clicked on a malicious URL link.
“If the user is logged in to their VMware Aria Automation account, the threat actor could gain full control of their account and perform any actions the user has the rights to perform. The vulnerability has a severe impact to the confidentiality and low impact to the integrity of the affected systems,” it warned, urging VMware users to “patch immediately”.
Broadcom has issued patches for VMware Aria Automation 8.18.x and version 5.x and 4.x of VMware Cloud Foundation, but it has not provided any workarounds, which means those users running an older version of the tool remain at risk.
There are a number of reports that many VMware customers have been sent cease-and-desist emails from Broadcom regarding their perpetual VMware licenses, which demand removal of patches and bug fixes that they may have installed.
While details of the successful exploits of the VMware hypervisor have yet to be published, the patches are not yet available, and questions remain as to how widely these will be distributed.
In The Current Issue:
UK critical systems at risk from ‘digital divide’ created by AI threats
UK at risk of Russian cyber and physical attacks as Ukraine seeks peace deal
Standard Chartered grounds AI ambitions in data governance
Download Current Issue
Starburst chews into the fruits of agentic
– CW Developer Network
Calm settles over digital identity market - for now...– Computer Weekly Editors Blog
View All Blogs
#hacking #contest #exposes #vmware #security
Hacking contest exposes VMware security
Mike Kiev - Fotolia
News
Hacking contest exposes VMware security
In what has been described as a historical first, hackers in Berlin have been able to demo successful attacks on the ESXi hypervisor
By
Cliff Saran,
Managing Editor
Published: 20 May 2025 16:30
The cyber security team at Broadcom has acknowledged that during the Pwn2Own hacking contest in Berlin in March, there were three successful attacks on the VMware hypervisor.
On March 16, Nguyen Hoang Thach, a security researcher from Star Labs, successfully exploited VMware ESXi. “This is the first time VMware ESXi was exploited in the Pwn2Own hacking event,” Praveen Singh and Monty Ijzerman, from the product security and incident response team in the VMware Cloud Foundation division of Broadcom, wrote on the company’s website.
This is something that has not been achieved before, according to a LinkedIn post by Bob Carver, CEO of Cybersecurity Boardroom.
“This was the first time in Pwn2Own’s history, stretching back to 2007, that the hypervisor has been successfully exploited,” he wrote, adding that the hacker was able to deploy a single integer overflow exploit.
Singh and Ijzerman also noted that on 17 March, Corentin Bayet, chief technology officer of Reverse Tactics, successfully exploited ESXi by chaining two vulnerabilities. According to Singh and Ijzerman, one of the vulnerabilities used in the exploit was already known.
The third successful attack, also on 17 March, was run by Thomas Bouzerar and Etienne Helluy-Lafont, security experts from Synacktiv, who managed to successfully exploit the VMware workstation.
Singh and Ijzerman said the team at Broadcom were actively working on the remediation. “We plan to publish a VMware Security Advisory to provide information on updates for the affected products,” they said.
VMware stories
No workaround leads to more pain for VMware users: There are patches for the latest batch of security alerts from Broadcom, but VMware users on perpetual licences may not have access.
VMware patches put spotlight on support: Recent security updates in VMware products have highlighted the challenge IT decision-makers face as they navigate Broadcom licensing changes.
While Broadcom has so far committed to providing patches for zero-day exploits, its current strategy to move customers onto VMware Cloud Foundation subscription bundles may leave some VMware users with gaps in their security, especially if their support contract is up for renewal.
As Computer Weekly reported earlier this month, Broadcom informed customers it would no longer renew support contracts for VMware products purchased on a perpetual licence basis and that support would only continue for those that moved to a VMware subscription.
On 12 May, Broadcom issued a critical security advisory, CVE-2025-22249, which affects the Aria toolset. The Cybersecurity Centre for Belgium said that given the vulnerability requires user interaction, it could be exploited through a phishing attack if a VMware admin clicked on a malicious URL link.
“If the user is logged in to their VMware Aria Automation account, the threat actor could gain full control of their account and perform any actions the user has the rights to perform. The vulnerability has a severe impact to the confidentiality and low impact to the integrity of the affected systems,” it warned, urging VMware users to “patch immediately”.
Broadcom has issued patches for VMware Aria Automation 8.18.x and version 5.x and 4.x of VMware Cloud Foundation, but it has not provided any workarounds, which means those users running an older version of the tool remain at risk.
There are a number of reports that many VMware customers have been sent cease-and-desist emails from Broadcom regarding their perpetual VMware licenses, which demand removal of patches and bug fixes that they may have installed.
While details of the successful exploits of the VMware hypervisor have yet to be published, the patches are not yet available, and questions remain as to how widely these will be distributed.
In The Current Issue:
UK critical systems at risk from ‘digital divide’ created by AI threats
UK at risk of Russian cyber and physical attacks as Ukraine seeks peace deal
Standard Chartered grounds AI ambitions in data governance
Download Current Issue
Starburst chews into the fruits of agentic
– CW Developer Network
Calm settles over digital identity market - for now...– Computer Weekly Editors Blog
View All Blogs
#hacking #contest #exposes #vmware #security
·142 Views
