CISA Warns of VMware ESXi 0-day Vulnerability Exploited in Ransomware Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently confirmed that ransomware groups are actively exploiting CVE-2025-22225, a high-severity VMware ESXi sandbox escape vulnerability.

This flaw, patched by Broadcom in March 2025, enables attackers to escape virtual machine isolation and deploy ransomware across hypervisors.

CVE-2025-22225 is an arbitrary write vulnerability in VMware ESXi, rated Important with a CVSS score of 8.2. A malicious actor with privileges in the VMX process can trigger an arbitrary kernel write, breaking out of the sandbox to gain hypervisor control.

It was disclosed alongside two other zero-days, CVE-2025-22224 (CVSS 9.3, heap overflow) and CVE-2025-22226 (CVSS 7.1, info disclosure), all exploited in the wild since at least early 2025.

CVE ID	CVSS Score	Description	Affected Products
CVE-2025-22224	9.3	Heap overflow in VMCI driver	ESXi 7.0, 8.0; Workstation 17.0
CVE-2025-22225	8.2	Arbitrary kernel write via VMX	ESXi 7.0, 8.0
CVE-2025-22226	7.1	HGFS memory leak	ESXi, Workstation, Fusion

CISA added CVE-2025-22225 to its Known Exploited Vulnerabilities (KEV) catalog on March 4, 2025, mandating federal patches by March 25 under BOD 22-01.

Recent updates on February 3, 2026, flagged its use in ransomware campaigns, though specifics on groups remain undisclosed. Attackers chain it with the other flaws for full VM escape, targeting enterprise hypervisors that store sensitive data.

Ransomware actors leverage initial VM compromise often via admin access to disable VMCI drivers, load unsigned kernel drivers, and leak VMX memory for ASLR bypass.

This deploys stealthy backdoors like VSOCKpuppet for persistent hypervisor control, evading network monitoring. Earlier, Chinese-linked hackers exploited the chain since February 2024 via compromised SonicWall VPNs, staging data exfiltration and ransomware prep.

Broadcom’s VMSA-2025-0004 advisory confirmed in-the-wild exploitation at patch release. Scans reveal over 41,500 exposed ESXi instances remain vulnerable, amplifying ransomware risks. Huntress reported a toolkit targeting 155 ESXi builds, with PDB paths indicating development over a year prior.

Apply Broadcom patches immediately for ESXi 7.0/8.0 and related products. Follow CISA’s guidance: implement vendor mitigations, BOD 22-01 for cloud, or discontinue unpatchable systems. Enhance defenses with EDR monitoring for VMX anomalies, restrict VM admin privileges, and scan for IOCs like unsigned drivers or VSOCK traffic.

VMware ESXi’s ubiquity in enterprises makes it a prime ransomware vector, as seen in prior campaigns. Organizations should prioritize hypervisor patching amid rising state-sponsored and cybercrime threats. Unpatched systems risk full infrastructure encryption and data theft.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns of VMware ESXi 0-day Vulnerability Exploited in Ransomware Attacks appeared first on Cyber Security News.