CISA Warns: Ransomware Attackers Exploit VMware ESXi Flaw
â–Ľ Summary
– CISA confirmed that the VMware ESXi vulnerability CVE-2025-22225 is being exploited in ransomware campaigns by adding it to its Known Exploited Vulnerabilities catalog.
– Broadcom fixed three related VMware vulnerabilities (CVE-2025-22225, -22224, -22226) in early March 2025, which were already being exploited as zero-days.
– In January 2026, researchers observed an exploit toolkit they believe leverages all three vulnerabilities, potentially developed by Chinese-speaking actors in early 2024.
– Only one of the three vulnerabilities is currently flagged for ransomware use in the KEV catalog, creating a lag that complicates patch prioritization for the private sector.
– A security researcher has created an RSS feed workaround to alert subscribers when CISA updates the ransomware use status of vulnerabilities in the KEV catalog.
A critical vulnerability in VMware ESXi is now confirmed as an active tool for ransomware groups, prompting urgent calls for system administrators to apply patches. The Cybersecurity and Infrastructure Security Agency (CISA) has officially added the flaw, tracked as CVE-2025-22225, to its Known Exploited Vulnerabilities catalog with a specific ransomware designation. This move confirms that malicious actors are actively leveraging this security gap to deploy file-encrypting malware, posing a severe threat to unpatched virtual environments.
This particular vulnerability is part of a trio of zero-day flaws that Broadcom addressed in March 2025. The other two, CVE-2025-22224 and CVE-2025-22226, were patched simultaneously. At the time of the fix, Broadcom indicated all three had likely been exploited in the wild, though specific attack details were scarce. All three were promptly added to CISA’s KEV catalog, which mandates remediation for U.S. federal agencies. However, new analysis from cybersecurity firm Huntress in early 2026 provided deeper insight. Their researchers identified an exploit toolkit they believe weaponizes all three vulnerabilities in concert. The toolkit’s behavior, using HGFS for information disclosure, VMCI for memory corruption, and shellcode to escalate to kernel privileges, strongly suggests it leverages this specific vulnerability chain.
Intriguingly, Huntress also uncovered evidence pointing to the toolkit’s origins, suggesting it may have been developed by Chinese-speaking actors over a year before VMware’s public disclosure, potentially as early as 2024. This highlights the advanced preparation and stealth often employed by sophisticated threat groups.
A significant point of concern for the broader security community is the current status of these flaws in CISA’s catalog. While CVE-2025-22225 is now flagged as “Known To Be Used in Ransomware Campaigns,” the status for the other two vulnerabilities remains listed as “Unknown.” This discrepancy creates a challenge for patch prioritization, especially for private-sector organizations that heavily rely on the KEV catalog to guide their security efforts. For these entities, which are frequent ransomware targets, understanding which vulnerabilities are directly tied to extortion campaigns is crucial for allocating limited defensive resources effectively.
The delay in updating these ransomware flags means organizations might deprioritize patching the full set of vulnerabilities, potentially leaving doors open for attackers. As security expert Glenn Thorpe of GreyNoise noted, relying on the KEV catalog for prioritization is already a reactive strategy, and waiting for the specific ransomware flag slows the response further. In response to this lack of transparency, Thorpe has created a practical solution: an RSS feed that monitors the KEV catalog hourly and alerts subscribers the moment CISA updates a vulnerability’s ransomware status to “Known.” This workaround provides security teams with faster, actionable intelligence to bolster their defenses against these pervasive threats.
(Source: HelpNet Security)
