At Pwn2Own Berlin 2025, Nguyen Hoang Thach from the STARLabs SG team exploited a previously unknown integer overflow vulnerability in VMware ESXi, marking the first successful compromise of this hypervisor in the competition’s history. The exploit was developed under strict time constraints, targeting VMware’s enterprise-grade hypervisor architecture. The attacker received $150,000 and top tournament recognition, signaling the high severity and value of the exploit.
The attack focused on a flaw caused by improper handling of arithmetic operations in ESXi. Integer overflow vulnerabilities occur when an arithmetic calculation exceeds the maximum size allocated for a variable, leading to memory corruption. In hypervisors, such errors open pathways to arbitrary code execution, privilege escalation, and full control of guest and host systems. The exploit effectively transformed a minor input miscalculation into system-wide access.
VMware ESXi forms the foundation for virtual infrastructure in many high-security and enterprise-grade environments. Exploiting it allows adversaries to breach multiple virtual machines simultaneously, bypass segmentation controls, and access sensitive workloads that may include critical operations, intellectual property, and classified data.
Possible attack vectors include deployment through remote management interfaces, direct interaction via a compromised guest VM, or malicious actor presence within the same internal segment as the hypervisor. Once exploited, the attacker may move laterally, manipulate or exfiltrate virtual machine memory, intercept data in transit between guest systems, or install persistent implants undetected at the hypervisor level.
The impact of such a breach reaches beyond individual machines. A compromised hypervisor can lead to cascading failures across networked systems, disruption of services in critical infrastructure sectors, and long-term infiltration opportunities for state-sponsored adversaries. Organizations relying on ESXi without isolation or behavioral monitoring will face heightened exposure to undetected persistence and data manipulation.
To mitigate exposure, enterprises should deploy rapid patching mechanisms, enforce role-based access restrictions to administrative ESXi interfaces, and implement microsegmentation to prevent direct lateral movement. Behavior-based intrusion detection systems tuned to monitor hypervisor activity remain essential. Scheduled integrity checks, strict audit trails, and separation of critical VM workloads can reduce impact scope if similar vulnerabilities emerge.
The successful breach of VMware ESXi during the competition illustrates that even hardened enterprise virtualization environments remain vulnerable when underlying arithmetic logic errors go unnoticed. Integer overflow issues require not just code review but also runtime protections and automated constraint enforcement to prevent such exploits from reaching production systems. The event signals a renewed threat to virtual infrastructure security across industries.
We See What Others Cannot
