The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of a critical VMware ESXi vulnerability, known as CVE-2025-22225. This security flaw is being leveraged by ransomware groups to compromise virtual machine environments.
Details on the VMware ESXi Vulnerability
Identified as an arbitrary write vulnerability, CVE-2025-22225 allows attackers to escape the virtual machine isolation in VMware ESXi, with a high CVSS score of 8.2. This vulnerability, previously addressed by Broadcom in March 2025, permits malicious actors with VMX process privileges to execute arbitrary kernel writes, gaining unauthorized control over hypervisors.
This vulnerability was disclosed alongside two other zero-day vulnerabilities, CVE-2025-22224 and CVE-2025-22226, which have also been exploited in the wild since early 2025. The three vulnerabilities together pose significant threats, especially to enterprise environments that rely heavily on virtualized systems.
Impact and Exploitation in the Wild
On March 4, 2025, CISA included CVE-2025-22225 in its Known Exploited Vulnerabilities catalog, emphasizing the urgency for federal systems to apply patches by March 25, 2025. Recent reports from February 2026 indicate this vulnerability’s use in ransomware operations, although the specific threat actors remain unidentified.
Attackers are reportedly using this vulnerability in conjunction with others to achieve full virtual machine escape, primarily targeting enterprise hypervisors that manage sensitive information. The exploitation often begins with administrative access, which is utilized to disable VMCI drivers and facilitate further malicious activities.
Protective Measures and Recommendations
Organizations are urged to apply Broadcom’s patches promptly for VMware ESXi 7.0 and 8.0, as well as related products. CISA advises following vendor mitigations and federal directives such as BOD 22-01. Additional protection can be achieved by enhancing endpoint detection and response (EDR) systems to monitor for anomalies and restricting VM administrative privileges.
Given VMware ESXi’s widespread use in enterprises, it remains a significant target for ransomware attacks. Unpatched systems face the risk of complete infrastructure encryption and data compromise. It is crucial for organizations to prioritize patch management to mitigate these threats effectively.
Stay updated with the latest cybersecurity news by following us on Google News, LinkedIn, and X. For more information or to share your stories, contact us directly.
