Critical Vulnerabilities in VMware ESxi, Fusion and Workstation

March 10, 2022

A total of 5 vulnerabilities were discovered for these VMware products, being exploited they can generate from command execution and Denial of Service attacks. VMware has released a critical security patch to mitigate these vulnerabilities in ESXi, Fusion and Workstation, including also VMware Cloud Foundation. If not patched, exploiting these flaws would allow an attacker to access workloads within the organization's visual environments.

The vulnerabilities have a score that goes from 5.3 to 8.4 on a scale of 10 of the cvss, which makes these flaws quite important, the problem arises that these flaws can be chained during exploitation to obtain better results. Thus giving the combination of these in a critical level failure.


The 5 vulnerabilities are as follows:

  • CVE-2021-22040: Use-after-freevulnerability in XHCI USB controller (CVSS 8.4)
  • CVE-2021-22041: Double-fetchvulnerability in UHCI USB controller (CVSS 8.4)
  • CVE-2021-22042: ESXi 'settingsd' unauthorized access vulnerability (CVSS 8.2)
  • CVE-2021-22043: ‘ESXisettingsd’ TOCTOU vulnerability (CVSS 8.2)
  • CVE-2021-22050: ESXi slow HTTPPOST denial of service vulnerability (CVSS 5.3)


We know that an organization-wide patching process can be time-consuming and lead to infrastructure issues, so to mitigate the 2 highest scoring vulnerabilities, organizations can remove USB controllers from their virtual machines as a compensatory check. . However, this should be taken as a temporary solution while a window for patching systems is established because the potential risk is still there and will not be removed until patches are installed.

For more details, you can consult the official VMware documentation regarding these vulnerabilities. As mentioned above, VMware has released the security patch, so it is recommended to update as soon as possible to mitigate these vulnerabilities.

For more information on this and other topics
you can send us a message

contact us