VMware ESXi vulnerabilities: known CVEs & security history
VMware / Broadcom · Virtualization · 116 tracked CVEs · 8 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all VMware ESXi release lines — 116 in total, with 8 actively exploited in the wild. A CVE here doesn't mean your version is affected — check VMware ESXi's current status and the safe version to run.
Known VMware ESXi CVEs
Actively-exploited and most-severe first. Showing the top 80 of 116. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2020-3992⚡ exploited | critical | 9.8 | 83% | 2020 |
| CVE-2019-5544⚡ exploited | critical | 9.8 | 97% | 2019 |
| CVE-2025-22224⚡ exploited | critical | 9.3 | 2% | 2025 |
| CVE-2025-22225⚡ exploited | high | 8.2 | 1% | 2025 |
| CVE-2010-3904⚡ exploited | high | 7.8 | 11% | 2010 |
| CVE-2023-29552⚡ exploited | high | 7.5 | 66% | 2023 |
| CVE-2025-22226⚡ exploited | high | 7.1 | 2% | 2025 |
| CVE-2024-37085⚡ exploited | medium | 6.8 | 27% | 2024 |
| CVE-2012-1516 | critical | 9.9 | 3% | 2012 |
| CVE-2021-21994 | critical | 9.8 | 1% | 2021 |
| CVE-2010-0211 | critical | 9.8 | 29% | 2010 |
| CVE-2019-5521 | critical | 9.6 | 2% | 2019 |
| CVE-2024-22253 | critical | 9.3 | 1% | 2024 |
| CVE-2024-22252 | critical | 9.3 | 4% | 2024 |
| CVE-2020-3955 | critical | 9.3 | 1% | 2020 |
| CVE-2013-1405 | high | 10 | 3% | 2013 |
| CVE-2013-3658 | high | 9.4 | 4% | 2013 |
| CVE-2012-3288 | high | 9.3 | 4% | 2012 |
| CVE-2012-2450 | high | 9 | 2% | 2012 |
| CVE-2012-2449 | high | 9 | 3% | 2012 |
| CVE-2012-1517 | high | 9 | 2% | 2012 |
| CVE-2022-31696 | high | 8.8 | 0% | 2022 |
| CVE-2021-21974 | high | 8.8 | 45% | 2021 |
| CVE-2019-5527 | high | 8.8 | 0% | 2019 |
| CVE-2018-6981 | high | 8.8 | 1% | 2018 |
| CVE-2018-6974 | high | 8.8 | 0% | 2018 |
| CVE-2017-4941 | high | 8.8 | 3% | 2017 |
| CVE-2017-4933 | high | 8.8 | 4% | 2017 |
| CVE-2017-16544 | high | 8.8 | 6% | 2017 |
| CVE-2017-4924 | high | 8.8 | 1% | 2017 |
| CVE-2017-4904 | high | 8.8 | 0% | 2017 |
| CVE-2017-4903 | high | 8.8 | 0% | 2017 |
| CVE-2017-4902 | high | 8.8 | 1% | 2017 |
| CVE-2012-1518 | high | 8.3 | 2% | 2012 |
| CVE-2012-1515 | high | 8.3 | 1% | 2012 |
| CVE-2022-31705 | high | 8.2 | 2% | 2022 |
| CVE-2020-4004 | high | 8.2 | 0% | 2020 |
| CVE-2020-3968 | high | 8.2 | 1% | 2020 |
| CVE-2020-3962 | high | 8.2 | 1% | 2020 |
| CVE-2024-22273 | high | 8.1 | 0% | 2024 |
| CVE-2018-6967 | high | 8.1 | 2% | 2018 |
| CVE-2018-6966 | high | 8.1 | 2% | 2018 |
| CVE-2018-6965 | high | 8.1 | 3% | 2018 |
| CVE-2024-22254 | high | 7.9 | 1% | 2024 |
| CVE-2013-3519 | high | 7.9 | 1% | 2013 |
| CVE-2010-4263 | high | 7.9 | 3% | 2011 |
| CVE-2021-22042 | high | 7.8 | 0% | 2022 |
| CVE-2021-22045 | high | 7.8 | 5% | 2022 |
| CVE-2020-4005 | high | 7.8 | 0% | 2020 |
| CVE-2020-3969 | high | 7.8 | 0% | 2020 |
| CVE-2016-5330 | high | 7.8 | 18% | 2016 |
| CVE-2012-3289 | high | 7.8 | 2% | 2012 |
| CVE-2009-2698 | high | 7.8 | 7% | 2009 |
| CVE-2020-3982 | high | 7.7 | 1% | 2020 |
| CVE-2013-1659 | high | 7.6 | 2% | 2013 |
| CVE-2021-22050 | high | 7.5 | 2% | 2022 |
| CVE-2021-22043 | high | 7.5 | 1% | 2022 |
| CVE-2021-21995 | high | 7.5 | 1% | 2021 |
| CVE-2020-3967 | high | 7.5 | 0% | 2020 |
| CVE-2020-3966 | high | 7.5 | 0% | 2020 |
| CVE-2013-3657 | high | 7.5 | 3% | 2013 |
| CVE-2012-2448 | high | 7.5 | 4% | 2012 |
| CVE-2013-1406 | high | 7.2 | 1% | 2013 |
| CVE-2012-1510 | high | 7.2 | 0% | 2012 |
| CVE-2012-1508 | high | 7.2 | 0% | 2012 |
| CVE-2024-22255 | high | 7.1 | 2% | 2024 |
| CVE-2013-5970 | high | 7.1 | 2% | 2013 |
| CVE-2024-37086 | medium | 6.8 | 0% | 2024 |
| CVE-2019-5517 | medium | 6.8 | 1% | 2019 |
| CVE-2019-5516 | medium | 6.8 | 2% | 2019 |
| CVE-2019-5519 | medium | 6.8 | 1% | 2019 |
| CVE-2019-5518 | medium | 6.8 | 1% | 2019 |
| CVE-2021-22041 | medium | 6.7 | 1% | 2022 |
| CVE-2021-22040 | medium | 6.7 | 1% | 2022 |
| CVE-2022-31681 | medium | 6.5 | 0% | 2022 |
| CVE-2022-23825 | medium | 6.5 | 1% | 2022 |
| CVE-2020-3999 | medium | 6.5 | 0% | 2020 |
| CVE-2019-5536 | medium | 6.5 | 2% | 2019 |
| CVE-2018-6982 | medium | 6.5 | 0% | 2018 |
| CVE-2018-6977 | medium | 6.5 | 0% | 2018 |
36 older / lower-severity CVEs not shown — see VMware ESXi's full record.
Is my VMware ESXi version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your VMware ESXi version → · Monitor VMware ESXi for new CVEs →
VMware ESXi vulnerabilities — frequently asked
How many known vulnerabilities does VMware ESXi have?
IsItPatched tracks 116 CVEs for VMware ESXi, 8 of which are actively exploited (CISA KEV). 10 are critical-severity and 56 high-severity. These span every release line — what matters is whether the version you run is affected.
Does VMware ESXi have any actively-exploited vulnerabilities?
Yes — 8 VMware ESXi CVEs are in CISA's Known Exploited Vulnerabilities catalog, meaning they are confirmed exploited in the wild (4 linked to ransomware). Patch these as a priority.
What is the most severe VMware ESXi vulnerability?
Among tracked issues, CVE-2020-3992 (CRITICAL, CVSS 9.8), which is actively exploited, ranks highest — a Use-after-free weakness.
Is VMware ESXi safe to use?
It depends on the version. The latest supported VMware ESXi release (9.1.0.0) clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: VMware ESXi security status · VMware ESXi end-of-life · actively-exploited CVEs. Always verify against VMware / Broadcom's advisories — see our disclaimer.