In March 2025, VMware users received concerning news from the Microsoft Threat Intelligence Center regarding the discovery of CVE-2025-22226 and two other critical vulnerabilities that were already being exploited in the wild.

VMware Fusion users need to pay particular attention to this threat, as it represents an active security risk rather than a theoretical vulnerability. CISA (Cybersecurity and Infrastructure Security Agency) has mandated patches be applied by March 25, 2025, highlighting the severity of this issue.

 

 

1. CVE-2025-22226 Vulnerability Analysis

Understanding the Vulnerability

CVE-2025-22226 is an information disclosure vulnerability affecting VMware ESXi, Workstation, and Fusion’s HGFS (Host-Guest File System). HGFS is a critical system component responsible for file sharing between host and guest virtual machines.

Vulnerability Details:

• CVSS Score: 7.1 (Important severity)
• Attack Vector: Local
• Privilege Requirements: Virtual machine administrator privileges
• Impact: Confidentiality breach

When a malicious actor gains administrator privileges on a virtual machine, this vulnerability allows them to leak memory information from the VMX process. This could expose sensitive data including passwords, encryption keys, or other confidential information, creating significant security risks.

Real-World Attack Scenarios

Here’s how this vulnerability could be exploited in production environments:

1. Multi-tenant Environments: Cloud services or shared virtualization environments where one tenant could access another tenant’s data
2. Development/Testing Environments: Virtual machines used by developers potentially exposing sensitive host information
3. Enterprise Networks: Internal attackers or privilege escalation attacks leading to additional information gathering

 

 

2. Identifying Affected VMware Fusion Versions

Before applying patches, verify your current VMware Fusion version.

Version Check Methods on macOS

Method 1: GUI Menu Check

1. Launch VMware Fusion
2. Click VMware Fusion > About VMware Fusion in the top menu
3. Note the version information

Method 2: Terminal Command

/Applications/VMware\ Fusion.app/Contents/MacOS/VMware\ Fusion --version

Vulnerable Version Range

All VMware Fusion 13.x versions prior to 13.6.3 are affected by this vulnerability:

Product	Vulnerable Versions	Patched Version
VMware Fusion	13.0 ~ 13.6.2	13.6.3 or later
VMware Fusion Pro	13.0 ~ 13.6.2	13.6.3 or later

 

 

3. VMware Fusion 13.6.3 Download and Installation Guide

Downloading the Patch

VMware Fusion Pro is now available free for commercial, educational, and personal use, with no license key required.

Official Download Path:

1. Visit Broadcom Support Portal
2. Create account or log in (free registration)
3. Download VMware Fusion 13.6.3
4. Select appropriate version for Intel-based or Apple Silicon Mac

Step-by-Step Installation Process

Step 1: Backup Existing Virtual Machines

# Verify Time Machine backup or create manual backup
cp -R ~/Virtual\ Machines ~/Desktop/VM_Backup_$(date +%Y%m%d)

Step 2: Shut Down Running Virtual Machines

• Properly shut down all virtual machines
• Completely quit VMware Fusion application

Step 3: Remove Existing VMware Fusion

1. Right-click VMware Fusion in Applications folder
2. Select Move to Trash
3. Complete removal with administrator privileges:

sudo /Applications/VMware\ Fusion.app/Contents/Library/vmware-uninstall-tools

Step 4: Install New Version

1. Mount the downloaded .dmg file
2. Drag VMware Fusion icon to Applications folder
3. Launch application after installation completes
4. Accept license agreements and complete initial setup

Step 5: Verify Installation

/Applications/VMware\ Fusion.app/Contents/MacOS/VMware\ Fusion --version

Confirm output shows version 13.6.3 or later

 

 

4. HGFS (Host-Guest File System) Security Hardening

Beyond patching, you can restrict HGFS functionality to create additional security layers.

Understanding HGFS

HGFS manages file sharing between virtual machines and hosts, serving as the core component for Shared Folders functionality. In high-security environments, disabling this feature reduces the attack surface.

Per-VM HGFS Disabling Methods

Method 1: VMware Fusion GUI Configuration

1. Select target virtual machine in VMware Fusion
2. Click Virtual Machine > Settings (or ⌘+E)
3. Select Sharing tab
4. Uncheck Enable shared folders
5. Access advanced settings in Isolation section
6. Click Advanced Options > Configuration Parameters
7. Add the following parameters:

Parameter Name	Value	Description
isolation.tools.hgfsServerSet.disable	TRUE	Disables HGFS server registration
isolation.tools.hgfs.disable	TRUE	Completely disables HGFS functionality

Method 2: Direct .vmx File Editing

# Find .vmx files after shutting down virtual machines
find ~/Virtual\ Machines -name "*.vmx" -type f

# Open file with text editor
nano "/path/to/your/vm.vmx"

# Add these lines
isolation.tools.hgfsServerSet.disable = "TRUE"
isolation.tools.hgfs.disable = "TRUE"

Considerations When Disabling HGFS

Disabling HGFS prevents the VMX process from responding to tool process commands, which may limit the following functionality:

• Shared Folders feature completely unavailable
• VMware Tools automatic upgrades restricted
• Some VIX commands non-functional
• File drag-and-drop functionality limited

 

 

5. Post-Patch Security Verification

Vulnerability Scanning Tools

For Qualys Customers: Use QIDs 216335, 216336, 382908, and 382910 to detect vulnerable assets.

For Nessus Users: Utilize Nessus Plugin ID 222492 to detect VMware Fusion 13.x < 13.6.3 HGFS vulnerabilities.

Manual Verification Methods

Step 1: Version Confirmation

/Applications/VMware\ Fusion.app/Contents/MacOS/VMware\ Fusion --version
# Output should show VMware Fusion 13.6.3 or later

Step 2: HGFS Configuration Check

# Check HGFS settings in virtual machine .vmx files
grep -i "hgfs" ~/Virtual\ Machines/*/*.vmx

Step 3: Log Monitoring

# Monitor VMware logs for HGFS-related activity
tail -f ~/Library/Logs/VMware/*.log | grep -i hgfs

 

 

6. Additional Security Hardening Measures

Enhanced Virtual Machine Isolation

Along with patching, implement these additional security measures:

Network Isolation Configuration:

1. Navigate to Virtual Machine > Settings > Network Adapter
2. Consider using Host-only networks instead of NAT
3. Remove unnecessary network adapters

Permission Minimization:

# Restrict virtual machine file permissions
chmod 700 ~/Virtual\ Machines/
chmod 600 ~/Virtual\ Machines/*/*.vmx

Enhanced Monitoring and Logging

System Log Monitoring:

# Monitor VMware-related activities
sudo log stream --predicate 'subsystem contains "com.vmware"' --level debug

Security Event Tracking:

• Monitor administrator privilege activities within guest VMs
• Detect abnormal memory access patterns
• Track suspicious HGFS-related activities

 

 

7. Frequently Asked Questions (FAQ)

Q: What if existing virtual machines don’t work properly after patching?

A: Try these troubleshooting steps in order:

1. Reinstall VMware Tools
2. Restore virtual machine configuration files (.vmx) from backup
3. Restart virtual machines in compatibility mode
4. Contact Broadcom Support if needed

Q: What file sharing alternatives exist when HGFS is disabled?

A: Consider these alternatives:

• Network Shares: Use standard protocols like SMB, NFS
• Cloud Storage: Utilize services like Dropbox, Google Drive
• USB Passthrough: Direct connection of physical storage devices

Q: Does this vulnerability affect other VMware products?

A: Yes, CVE-2025-22226 equally affects VMware ESXi and Workstation. Apply corresponding patches for each product.

 

 

The fact that CVE-2025-22226 is already being exploited in real-world attacks provides a crucial lesson. Behind the convenience of virtualization technology lurk constant security risks that require ongoing attention and response. The patch application and HGFS security hardening discussed today are not one-time tasks. True security requires regular security update checks, system monitoring, and continuous learning about new threats.

 

---

Related Links:

• VMware Official Security Advisory VMSA-2025-0004
• CVE-2025-22226 Details
• Broadcom Support Portal
• VMware Fusion 13.6.3 Release Notes