VMware has released security advisory VMSA-2025-0004. This advisory has identified multiple vulnerabilities in VMware products including VMware ESXi, VMware Workstation Pro, VMware Fusion, VMware cloud foundation and VMware Telco Cloud Platform.

VMSA-2025-0004

VMware HCX 

VMSA-2025-0004 identifies critical zero-day vulnerabilities (VMCI heap-overflow and ESXi arbitrary kernel write) that allow for virtual machine-to-host sandbox escapes. 

HCX users may concern about the impact of the reported vulnerabilities to HCX Manager and HCX Service Appliances.

Based on Broadcom Security Advisory VMSA-2025-0004, VMware HCX is not directly listed as an affected product for CVE-2025-22224 or CVE-2025-22225.

These vulnerabilities primarily target the hypervisor and desktop virtualization layers. However, HCX deployments are indirectly impacted because the HCX Manager and HCX Service Appliances (such as the Interconnect and Network Extension appliances) run as Virtual Machines on VMware ESXi hosts, which are the primary targets of these CVEs

Infrastructure Patching: Update the underlying ESXi hosts to the fixed versions identified in the advisory:

ESXi 8.0: Update to 8.0 U3d (Build 24585383) or 8.0 U2d (Build 24585300).

ESXi 7.0: Update to 7.0 U3s (Build 24585291).

VCF Environments: If HCX is running on VMware Cloud Foundation, apply the Async Patch for ESXi as per KB88287.

HCX Maintenance: No specific patch for the HCX software itself is required for these CVEs. Ensure HCX is running a supported version to maintain overall security posture.

Remediating the ESXi hypervisor eliminates the attack vector (sandbox escape) at the source. This secures the environment for all resident VMs, including HCX appliances, without requiring modifications to the HCX application layer.

VMSA-2025-0004

ESXi host (Mobility Agent) deployed by HCX is identified as an older version of ESXi