Critical VMware ESXi Vulnerability Exploited in Ransomware Attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently confirmed that ransomware groups are actively exploiting a high-severity vulnerability in VMware ESXi, identified as CVE-2025-22225. This flaw, which was patched by Broadcom in March 2025, allows attackers to escape virtual machine isolation and deploy ransomware across hypervisors.
Understanding CVE-2025-22225
CVE-2025-22225 is an arbitrary write vulnerability in VMware ESXi, carrying a CVSS score of 8.2. It enables a malicious actor with privileges in the VMX process to perform arbitrary kernel writes, effectively breaking out of the sandbox to gain control over the hypervisor. This vulnerability was disclosed alongside two other zero-days:
– CVE-2025-22224: A heap overflow vulnerability in the VMCI driver, rated with a CVSS score of 9.3.
– CVE-2025-22226: An information disclosure flaw in the Host-Guest File System (HGFS), with a CVSS score of 7.1.
All three vulnerabilities have been exploited in the wild since at least early 2025.
CISA’s Response and Recommendations
On March 4, 2025, CISA added CVE-2025-22225 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply patches by March 25 under Binding Operational Directive (BOD) 22-01. Subsequent updates on February 3, 2026, highlighted its use in ransomware campaigns, though specific threat groups were not disclosed.
Exploitation Techniques
Attackers often chain CVE-2025-22225 with other vulnerabilities to achieve full virtual machine escape, targeting enterprise hypervisors that store sensitive data. The exploitation process typically involves:
1. Initial Compromise: Gaining administrative access to a virtual machine.
2. Disabling VMCI Drivers: To facilitate the loading of unsigned kernel drivers.
3. Memory Leakage: Exploiting the VMX process to bypass Address Space Layout Randomization (ASLR).
4. Deploying Backdoors: Installing stealthy backdoors like VSOCKpuppet for persistent hypervisor control, effectively evading network monitoring.
Notably, Chinese-linked hackers have exploited this chain since February 2024, often via compromised SonicWall VPNs, leading to data exfiltration and ransomware deployment.
Current Threat Landscape
Broadcom’s VMSA-2025-0004 advisory confirmed in-the-wild exploitation at the time of patch release. Despite this, scans reveal over 41,500 exposed ESXi instances remain vulnerable, amplifying the risk of ransomware attacks. Security firm Huntress reported a toolkit targeting 155 ESXi builds, with development traces dating back over a year.
Mitigation Strategies
To protect against these vulnerabilities, organizations should:
1. Apply Patches Promptly: Implement Broadcom’s patches for ESXi 7.0/8.0 and related products without delay.
2. Follow CISA’s Guidance: Implement vendor mitigations as per CISA’s recommendations, adhere to BOD 22-01 for cloud environments, or discontinue unpatchable systems.
3. Enhance Monitoring: Utilize Endpoint Detection and Response (EDR) tools to monitor for anomalies in the VMX process.
4. Restrict Privileges: Limit administrative privileges within virtual machines to reduce the risk of exploitation.
5. Scan for Indicators of Compromise (IOCs): Regularly check for signs such as unsigned drivers or unusual VSOCK traffic.
Conclusion
Given VMware ESXi’s widespread use in enterprise environments, it remains a prime target for ransomware attacks. Organizations must prioritize patching and implement robust security measures to mitigate the risks associated with these vulnerabilities. Failure to do so could result in full infrastructure encryption and significant data loss.
