CISA Warns: VMware ESXi Flaw Actively Exploited by Ransomware
▼ Summary
– CISA confirmed ransomware gangs are now exploiting a high-severity VMware ESXi sandbox escape vulnerability (CVE-2025-22225).
– Broadcom patched this flaw and two others in March 2025, noting they were actively exploited zero-days affecting multiple VMware products.
– Chinese-speaking threat actors have likely been chaining these vulnerabilities in attacks since at least February 2024.
– CISA has ordered federal agencies to apply mitigations for this flaw, as it is now listed in its Known Exploited Vulnerabilities catalog.
– Ransomware groups frequently target VMware due to its widespread enterprise use, with CISA recently flagging other critical VMware flaws for patching.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning that a high-severity vulnerability in VMware ESXi is now being actively exploited by ransomware groups. This flaw, which allows attackers to break out of a virtual machine’s security sandbox, was originally patched by Broadcom nearly a year ago but remains a significant threat to unpatched systems across both public and private sectors.
Broadcom addressed this critical issue, tracked as CVE-2025-22225, in March 2025. It was fixed alongside two other related vulnerabilities, a memory leak (CVE-2025-22226) and a time-of-check to time-of-use (TOCTOU) flaw (CVE-2025-22224). At the time of the patch, Broadcom noted all three were already being exploited as zero-days. The company explained that the flaw could permit a malicious actor with VMX process privileges to execute an arbitrary kernel write, resulting in a sandbox escape. These vulnerabilities impact a wide range of VMware products, including ESXi, Fusion, Cloud Foundation, vSphere, Workstation, and the Telco Cloud Platform. Attackers possessing privileged administrator or root access can chain these flaws together to completely break free from the virtual machine’s isolated environment.
Evidence suggests these vulnerabilities have been in use for some time. A report from cybersecurity firm Huntress last month indicated that Chinese-speaking threat actors have likely been chaining these flaws in zero-day attacks since at least February 2024. The situation has now escalated with CISA’s confirmation of ransomware involvement. In a recent update to its Known Exploited Vulnerabilities catalog, the agency formally flagged CVE-2025-22225 as being exploited in active ransomware campaigns, though specific details about the attacks were not disclosed.
CISA first added this vulnerability to its catalog in March 2025, issuing a binding directive that required federal agencies to secure their systems by March 25, 2025. The agency’s guidance remains clear: organizations must apply vendor-provided mitigations, follow Binding Operational Directive 22-01 guidance for cloud services, or discontinue use of the product if no mitigations are available. VMware products are a perennial target for both ransomware gangs and state-sponsored hackers due to their widespread deployment in enterprise environments, which often house sensitive corporate data.
This incident is part of a concerning pattern. For example, last October, CISA directed government agencies to patch a high-severity flaw (CVE-2025-41244) in Broadcom’s VMware Aria Operations and VMware Tools software after Chinese hackers were found exploiting it. More recently, in January, CISA tagged a critical VMware vCenter Server vulnerability (CVE-2024-37079) as actively exploited and set a February 13 deadline for federal agencies to secure their servers.
The scale of the ransomware threat is substantial. In related findings this week, cybersecurity company GreyNoise reported that CISA had “silently” added 59 security flaws to its list of vulnerabilities known to be used in ransomware campaigns in the past year alone, underscoring the persistent and evolving danger these exploits pose to organizational security.
(Source: Bleeping Computer)
