VMware Flaws That Earned Hackers $340,000 at Pwn2Own Patched

Broadcom informed customers this week that several VMware product vulnerabilities disclosed earlier this year at the Pwn2Own hacking competition have been patched.Participants earned more than $1 million at thePwn2Own Berlin 2025competition organized by Trend Micro’s Zero Day Initiative (ZDI). More than $340,000 was paid out for exploits targeting VMware products.The STARLabs SG team earned $150,000 for exploiting a single integer overflow bug to hack VMware ESXi.According to Broadcom’s advisory, this critical bug impacts the VMXNET3 virtual network adapter and it can allow an attacker with local admin privileges on a VM that uses the adapter to execute arbitrary code on the host. The security hole is tracked as CVE-2025-41236.The REverse Tactics team earned $112,500 for an ESXi exploit involving two bugs. The amount is lower than the one earned by STARLabs SG because one of the flaws was known to Broadcom.REverse Tactics has been credited by Broadcom for two CVEs: CVE-2025-41237, a cr...