CVE-2025-41238

ENISA EUVD: EUVD-2025-21542 ↗

✓ Confirmed 0-Day

Triaged: March 5, 2026 2 articles Published: 2025-07-15

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗

EPSS Score

Source: FIRST.org · 2026-05-23

0.12%

probability

This CVE has a 0.12% probability of being exploited in the next 30 days.

0% Top 30.0th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

9.3

CRITICAL

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

VMware ESXi, Workstation, and Fusion contain a heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller that leads to an out of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox and exploitable only with configurations that are unsupported. On Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

Affected Products

VMware

ESXi

8.0 8.0 7.0

VMware

Cloud Foundation

5.x, 4.5.x

VMware

Workstation

17.x

VMware

Fusion

13.x

VMware

Telco Cloud Platform

5.x, 4.x, 3.x, 2.x

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-664 · Improper Control of a Resource Through its Lifetime CWE-787 · Out-of-bounds Write

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877

Signal Intelligence

Confidenceⓘ

92%

EPSS 0.12%

CVSS v3.1 9.3

Mentions 2

Last Seen Jul 18, 2025

CNA Information

CNA Assigner

vmware

CNA Title

PVSCSI heap-overflow vulnerability

Analyst Note

CVE-2025-41238 is explicitly named as a zero-day exploited at Pwn2Own Berlin, with VMware releasing a patch in response to active exploitation. The CVE is recent (2025), and the BleepingComputer article directly states it as one of four ESXi zero-day bugs exploited at the security conference, confirming in-the-wild exploitation tied to patch release.

Threat Actors 2

Hacking Team

apt_group 🇮🇹 IT

The White Company

apt_group Information theft and espionage 🇨🇳 CN

Triage Info

Decided atMar 05, 2026

Published DateJul 15, 2025