Vulnerability in VMware Workstation and Fusion arises from a logic flaw in how the software manages network packets, a weakness identified as CWE-923. This flaw enables a malicious actor who has administrative privileges within a Guest virtual machine to interrupt or intercept the network connections of other Guest VMs on the same host. The misuse of packet handling can lead to service disruption or the unauthorized takedown of traffic between guests, exposing data exchange and potentially harming availability for the affected virtual machines.

The flaw impacts VMware Fusion and VMware Workstation products. All currently supported versions released before version 25H2U1 are potentially affected, as the advisory does not list any specific version range but specifies that the fix is included in 25H2U1. VMware did not enumerate affected minor releases, so administrators should assume all earlier builds are vulnerable.

The CVSS score of 5.9 indicates a moderate risk. The EPSS score of less than 1 % suggests a very low probability of exploitation in the general population. VMware has not listed this issue in the CISA KEV catalog, so there is no known active exploitation campaign. Exploitation requires that the attacker runs as an administrator inside a Guest VM, so they must already have control over that VM. The attack vector is local to the host, with the attacker able to hijack traffic routes between guests, potentially enabling denial of service or passive data interception. Overall, the risk is moderate but limited by the attacker’s need for elevated VM privileges.