Ransomware Strikes: Exploiting VMware ESXi Vulnerability

Recent reports from CISA have highlighted the concerning trend of ransomware groups exploiting a critical VMware ESXi sandbox escape vulnerability, previously utilized in zero-day attacks. This vulnerability, identified as CVE-2025-22225, was addressed by Broadcom in March 2025 along with two other vulnerabilities, CVE-2025-22226 and CVE-2025-22224, all categorized as actively exploited zero-days.

The CVE-2025-22225 flaw, in particular, allows a malicious actor with privileges within the VMX process to trigger an arbitrary kernel write, ultimately leading to an escape from the sandbox, as described by Broadcom.

Broadcom’s patches for these vulnerabilities extend to various VMware ESX products, including VMware ESXi, Fusion, Cloud Foundation, vSphere, Workstation, and Telco Cloud Platform. Attackers with privileged administrator or root access can exploit these vulnerabilities in tandem to break out of the virtual machine’s sandbox.

According to a recent report by cybersecurity firm Huntress, threat actors, particularly those fluent in Chinese, have likely been leveraging these vulnerabilities in sophisticated zero-day attacks since at least February 2024.

Ransomware Exploitation Warning

In an update released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), CVE-2025-22225 has been flagged as actively exploited in ransomware campaigns. While specific details about these attacks were not disclosed, CISA urges organizations to secure their systems in line with the directives outlined in Binding Operational Directive (BOD) 22-01 by March 25, 2025.

CISA emphasizes the importance of applying mitigations as per vendor instructions, following BOD 22-01 guidelines for cloud services, or discontinuing product usage if effective mitigations are unavailable.

Given the widespread use of VMware products in enterprise environments that often house sensitive data, ransomware groups and state-sponsored actors frequently target VMware vulnerabilities. For instance, CISA previously issued alerts regarding vulnerabilities in Broadcom’s VMware Aria Operations and VMware Tools software, exploited by Chinese hackers in zero-day attacks.

More recently, CISA identified a critical vulnerability (CVE-2024-37079) in VMware vCenter Server as actively exploited in January, prompting federal agencies to secure their servers by February 13.

Furthermore, cybersecurity company GreyNoise reported that CISA identified 59 security flaws silently exploited in ransomware campaigns in the past year alone.