CISA: VMware ESXi Flaw Now Exploited in Ransomware Attacks

The VMware ESXi platform underpins a vast swath of enterprise infrastructure, from private clouds to telco networks. CVE‑2025‑22225 is a sandbox‑escape vulnerability that grants an attacker the ability to perform arbitrary kernel writes, effectively breaking the isolation that virtual machines rely on for security. Coupled with two other flaws—CVE‑2025‑22224 (a TOCTOU issue) and CVE‑2025‑22226 (a memory‑leak)—the attack surface expands, enabling sophisticated threat actors to chain exploits and gain host‑level control. Understanding the technical mechanics is essential for security teams assessing risk across heterogeneous VMware deployments.

Ransomware operators have rapidly incorporated this exploit into their playbooks, leveraging the privileged VMX process to pivot from a compromised guest to the hypervisor layer. CISA’s inclusion of CVE‑2025‑22225 in its KEV catalog underscores a broader trend: zero‑day vulnerabilities in virtualization software are increasingly weaponized in high‑impact ransomware campaigns. The agency’s Binding Operational Directive 22‑01 forces federal entities to remediate within a tight window, signaling that the threat is not confined to the public sector but is a bellwether for private‑sector exposure as well. This escalation mirrors prior incidents, such as the exploitation of VMware Aria Operations and vCenter Server flaws, highlighting a persistent focus on VMware’s extensive product suite.

Mitigation now hinges on swift patch deployment, rigorous configuration hardening, and continuous monitoring for anomalous VMX activity. Organizations should verify that Broadcom’s March 2025 patches are applied across all ESXi hosts, and where patches are unavailable, consider temporary isolation or decommissioning of vulnerable instances. Additionally, adopting micro‑segmentation and limiting administrative privileges can reduce the attack surface. As threat actors continue to chain vulnerabilities, a proactive, layered defense strategy becomes indispensable for protecting critical workloads and maintaining compliance with emerging cybersecurity mandates.