The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to confirm that CVE-2025-22225, a high-severity VMware ESXi sandbox escape vulnerability, is now being actively exploited in ransomware attacks.
The Vulnerability
CVE-2025-22225 is an arbitrary-write vulnerability that allows attackers with privileges within the VMX process to trigger an arbitrary kernel write, enabling escape from the virtual machine sandbox. Broadcom patched this flaw in March 2025 alongside two related vulnerabilities:
- CVE-2025-22225 — Arbitrary write (sandbox escape)
- CVE-2025-22226 — Memory leak vulnerability
- CVE-2025-22224 — TOCTOU (Time-of-Check to Time-of-Use) flaw
All three were tagged as actively exploited zero-days at the time of patching.
Chinese Threat Actors Exploited Since February 2024
According to a report from cybersecurity firm Huntress, Chinese-speaking threat actors have likely been chaining these flaws in sophisticated zero-day attacks since at least February 2024 — a full year before public disclosure. This extended exploitation window allowed attackers to compromise enterprise virtualization infrastructure with minimal detection.
Why Ransomware Gangs Target VMware
VMware products are prime targets for ransomware operators because:
- Enterprise prevalence — VMware ESXi is deployed across most large organizations
- High-value data — Virtual machines often contain critical business systems and sensitive data
- Mass encryption potential — Compromising the hypervisor allows encryption of all hosted VMs simultaneously
- Sandbox escape = full control — Breaking out of VM isolation gives attackers access to the underlying infrastructure
Affected Products
The vulnerabilities affect multiple VMware ESX products:
- VMware ESXi
- VMware Fusion
- VMware Cloud Foundation
- VMware vSphere
- VMware Workstation
- VMware Telco Cloud Platform
Immediate Actions Required
CISA mandates that federal agencies secure their systems per Binding Operational Directive (BOD) 22-01. All organizations running VMware products should:
- Patch immediately — Apply the March 2025 security updates from Broadcom
- Audit access — Review who has privileged administrator or root access to VMware infrastructure
- Monitor for indicators — Watch for signs of VM escape attempts or unusual hypervisor activity
- Segment networks — Ensure VMware management interfaces are not exposed to the internet
- Backup verification — Confirm offline backups exist for critical virtual machines
Part of a Larger Pattern
This week, security firm GreyNoise reported that CISA has “silently” tagged 59 security flaws as known to be used in ransomware campaigns throughout 2025 alone. The VMware ESXi flaw is part of an ongoing trend of ransomware groups specifically targeting virtualization and enterprise infrastructure.
Organizations running unpatched VMware ESXi should treat this as a critical priority — ransomware gangs are actively hunting these systems.
Source: BleepingComputer
