Critical Local Privilege Escalation in VMware ESXi (CVE‑2025‑41237) Enables Hypervisor Takeover
What It Is — An integer underflow in the VMCI driver of VMware ESXi permits a local attacker who can execute code inside a guest VM to gain hypervisor‑level privileges. The flaw arises from missing validation of user‑supplied data, allowing arbitrary memory writes and code execution in the ESXi host.
Exploitability — The attack requires code execution within a guest VM (local privilege escalation). No public exploit code is available, but the vulnerability was demonstrated in the Pwn2Own competition, confirming practical exploitability. CVSS 8.2 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Affected Products — VMware ESXi (all versions prior to the March 2026 security update).
TPRM Impact — A compromised ESXi host can expose every workload running on that hypervisor, potentially leaking data across multiple tenants and causing service disruption for cloud‑service providers and on‑premise data‑center operators.
Recommended Actions —
- Apply VMware’s March 2026 ESXi security patch immediately.
- Conduct an inventory scan to confirm all hosts are patched.
- Enforce strict network segmentation between management and guest traffic.
- Enable logging and monitoring for anomalous VMCI activity and privilege‑escalation alerts.
- Review third‑party contracts to ensure vendors commit to timely hypervisor patching.