Good catch by @TomSellers - although VMware doesn't list ESXi 6.7 as vulnerable, it is - they've published a patch for it: https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/6-7/release-notes/esxi-update-and-patch-release-notes/vmware-esxi-67-patch-release-esxi670202503001.html

I think what's happening here is 6.7 is under premium (paid) extended support where they publish patches for high severity vulns for $$

This also tends to indicate it applies to other unsupported versions. The forum post suggested that vuln worked on ESXi 5.x - no patch is available that far back.

I think this may be a big problem for many orgs.

Another good catch by @TomSellers - VMware's website advisory has less detail than their github for some reason.

Their github: https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004

According to their Github, additional VMware ESXi versions are impacted (e.g. 6.5, 6.7) and older versions are likely impacted but no patches available.

An in the wild exploit for RCE hypervisor escape across every supported (and unsupported) product like this is unprecedent.

I wrote up everything I know about #ESXicape https://doublepulsar.com/use-one-virtual-machine-to-own-them-all-active-exploitation-of-esxicape-0091ccc5bdfc

#threatintel

Does anybody know anybody at VMware Security who could have a look at the #ESXicape knowledge base article please?

It's missing 6.5 and 6.7, which are definitely vulnerable and have patches available on Broadcom's site. They're also listed in the VMware Github advisory, but have been missed off the support site. It's causing people to not patch.