Greater than 17,000 VMware ESXi installations worldwide are in danger from a extreme integer-overflow vulnerability tracked as CVE-2025-41236 (CVSS 9.3), cybersecurity researchers warn.
This vital vulnerability, first flagged in July, has prompted pressing requires patching, however the newest scan outcomes recommend progress stays sluggish, with hundreds of programs nonetheless unpatched.
Shadowserver Basis, in partnership with the UK Authorities, included focused detection for CVE-2025-41236 into its each day international scan on July 19, 2025.
The inaugural scan recognized a staggering 17,238 distinctive IPs working susceptible variations of ESXi, a well-liked virtualization platform utilized in enterprise environments.
By August 10, the variety of unpatched servers had solely marginally decreased to 16,330, underscoring an alarmingly sluggish tempo of remediation regardless of open warnings and the vital nature of this risk.
VMware ESXi Vulnerability – CVE-2025-41236
The geographical distribution of uncovered programs highlights the dimensions of the problem. France, China, the USA, and Germany high the checklist of most affected nations, every internet hosting tons of or hundreds of susceptible ESXi cases.
Uncovered Servers
Different areas with vital publicity embrace Russia, the Netherlands, and Brazil. The state of affairs presents heightened danger for companies, governments, and cloud service suppliers counting on ESXi for virtualization.
Attackers in a position to exploit this vulnerability may acquire management over core infrastructure, doubtlessly disrupting vital programs at scale.
CVE-2025-41236 is an integer-overflow bug in VMware ESXi’s HTTP administration interface. Rated 9.3 out of 10 on the CVSS scale, it permits unauthenticated distant attackers to execute arbitrary code, escalate privileges, or ship ransomware inside digital environments.
Researchers say exploitation is trivial and will allow attackers to pivot throughout whole knowledge facilities. The vulnerability impacts ESXi 7.x and a few 8.x builds, with exploits reportedly circulating in underground boards since late July.
Safety groups have responded slowly, as mirrored within the numbers: Shadowserver’s scans over three weeks present a discount of lower than 1,000 susceptible cases, barely 5% of these in danger. Consultants attribute sluggish patching to complicated improve processes, downtime issues, and poor consciousness.
Many uncovered ESXi hosts are immediately accessible from the web, compounding danger and welcoming mass exploitation campaigns.
Patch Instantly: Organizations working unpatched ESXi variations should deploy VMware’s official safety updates at once.
Test Publicity: Use public scanning instruments or vendor advisories to verify whether or not your environments are uncovered.
Limit Entry: Restrict internet-facing administration interfaces and implement robust authentication insurance policies.
The continued existence of hundreds of internet-exposed, unpatched ESXi servers indicators an pressing want for improved safety hygiene and accelerated vulnerability administration efforts. With international cybercriminals actively searching for to take advantage of CVE-2025-41236, time is of the essence.
Enhance your SOC and assist your group defend your corporation with free top-notch risk intelligence: Request TI Lookup Premium Trial.
