Attention all IT professionals and cybersecurity enthusiasts: A significant threat has emerged in the form of a VMware ESXi vulnerability that’s being actively exploited by ransomware groups! This alarming issue was confirmed by the Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday, highlighting the urgency for organizations to address this risk.
The vulnerability in question is a serious flaw related to VMware ESXi, which allows attackers to escape from a virtual machine's sandbox environment. Identified as CVE-2025-22225, this issue was first patched by Broadcom back in March 2025, along with two other vulnerabilities—a memory leak (CVE-2025-22226) and a TOCTOU flaw (CVE-2025-22224). All three vulnerabilities were categorized as zero-days, meaning they were actively being exploited before the patches were made available.
Broadcom explained that "a malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.” This means that if an attacker gains sufficient privileges inside a virtual machine, they can manipulate the system to gain access beyond its intended boundaries. Such vulnerabilities pose a severe threat, as they can potentially compromise sensitive data stored in enterprise systems.
The implications are particularly critical given that these flaws affect various VMware products, including VMware ESXi, Fusion, Cloud Foundation, vSphere, Workstation, and Telco Cloud Platform. Attackers who possess administrative or root access can exploit these vulnerabilities in tandem, thereby executing sophisticated attacks that extend beyond mere virtual machine confinement.
Interestingly, a report from Huntress, a cybersecurity firm, revealed that Chinese-speaking threat actors have likely been exploiting these vulnerabilities since at least February 2024, indicating that this is not just a recent issue but rather a longstanding threat that has evolved over time.
In CISA’s latest update to their Known Exploited Vulnerabilities catalog, they confirmed that CVE-2025-22225 is now officially recognized as a target for ransomware campaigns. However, details regarding the specifics of these ongoing attacks remain sparse. Previously, CISA had added this vulnerability to their catalog in early March 2025, urging federal agencies to secure their systems by March 25 of the same year as part of their Binding Operational Directive (BOD) 22-01.
CISA emphasized the importance of adhering to vendor instructions for applying mitigation measures, following relevant BOD guidance for cloud services, or discontinuing the use of affected products if no mitigations are available. The agency’s proactive stance is crucial because VMware products are widely utilized in enterprise settings, often housing sensitive corporate information, making them prime targets for both ransomware gangs and state-sponsored hacking groups.
For example, in October, CISA instructed government entities to patch a different high-severity vulnerability (CVE-2025-41244) present in Broadcom's VMware Aria Operations and VMware Tools software, which had been under exploitation by Chinese hackers since October 2024. Furthermore, in January, CISA flagged a critical VMware vCenter Server vulnerability (CVE-2024-37079) as actively exploited, mandating federal agencies to fortify their servers by February 13.
In another related update, GreyNoise, a cybersecurity company, announced that CISA has discreetly categorized 59 security vulnerabilities as known to be exploited in ransomware campaigns throughout the last year alone.
As we navigate this rapidly changing landscape of IT infrastructure, it’s essential for teams to adapt to modern challenges. By leveraging automated response strategies and building intelligent workflows, businesses can enhance reliability and minimize potential delays. This new Tines guide illustrates how organizations can streamline their processes, ensuring they stay ahead of emerging threats.
So, what do you think? Are organizations doing enough to safeguard against such vulnerabilities, or is there a larger issue at play in the cybersecurity landscape? Share your thoughts in the comments below!
