• Home
  • cyber
  • Broadcom: CISA: VMware ESXi flaw now exploited in ransomware attacks
cyber Ransomware

Broadcom: CISA: VMware ESXi flaw now exploited in ransomware attacks

Mar 1, 2025 2 min read
Broadcom: CISA: VMware ESXi flaw now exploited in ransomware attacks

Ransomware Gangs Exploit Critical VMware ESXi Sandbox Escape Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed this week that ransomware groups are actively exploiting CVE-2025-22225, a high-severity VMware ESXi sandbox escape vulnerability. The flaw, patched by Broadcom in March 2025, allows attackers with privileged access to the VMX process to execute arbitrary kernel writes, enabling sandbox escapes.

Broadcom addressed CVE-2025-22225 alongside two other actively exploited zero-days CVE-2025-22226 (memory leak) and CVE-2025-22224 (TOCTOU flaw) affecting VMware ESXi, Fusion, Cloud Foundation, vSphere, Workstation, and Telco Cloud Platform. Attackers with admin or root access could chain these vulnerabilities to bypass virtual machine isolation.

Cybersecurity firm Huntress reported last month that Chinese-speaking threat actors had likely exploited these flaws in sophisticated zero-day attacks since at least February 2024. CISA first added CVE-2025-22225 to its Known Exploited Vulnerabilities (KEV) catalog in March 2025, mandating federal agencies to patch by March 25, 2025, under Binding Operational Directive (BOD) 22-01.

VMware vulnerabilities remain a prime target for ransomware and state-sponsored groups due to the platform’s widespread enterprise adoption. In October 2024, CISA ordered agencies to patch CVE-2025-41244, a VMware Aria Operations and Tools flaw exploited by Chinese hackers since late 2024. Earlier this year, another critical vCenter Server vulnerability (CVE-2024-37079) was flagged as actively exploited, with a patch deadline of February 13, 2025.

Separately, GreyNoise revealed that CISA discreetly classified 59 vulnerabilities as ransomware-exploited in 2024 alone, underscoring the growing threat landscape.

Source: https://www.bleepingcomputer.com/news/security/cisa-vmware-esxi-flaw-now-exploited-in-ransomware-attacks/

VMware cybersecurity rating report: https://www.rankiteo.com/company/vmware

"id": "VMW1770230091",
"linkid": "vmware",
"type": "Ransomware",
"date": "3/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Enterprises using VMware ESXi, '
                                              'Fusion, Cloud Foundation, '
                                              'vSphere, Workstation, Telco '
                                              'Cloud Platform',
                        'industry': 'Software/Cloud Infrastructure',
                        'location': 'Global',
                        'name': 'Broadcom (VMware)',
                        'type': 'Technology Vendor'}],
 'attack_vector': 'Privileged access to VMX process, sandbox escape',
 'date_detected': '2024-02',
 'date_publicly_disclosed': '2025-03',
 'description': 'The U.S. Cybersecurity and Infrastructure Security Agency '
                '(CISA) confirmed that ransomware groups are actively '
                'exploiting CVE-2025-22225, a high-severity VMware ESXi '
                'sandbox escape vulnerability. The flaw allows attackers with '
                'privileged access to the VMX process to execute arbitrary '
                'kernel writes, enabling sandbox escapes. Broadcom patched the '
                'vulnerability in March 2025 alongside two other actively '
                'exploited zero-days (CVE-2025-22226 and CVE-2025-22224).',
 'impact': {'operational_impact': 'Bypass of virtual machine isolation',
            'systems_affected': 'VMware ESXi, Fusion, Cloud Foundation, '
                                'vSphere, Workstation, Telco Cloud Platform'},
 'investigation_status': 'Ongoing',
 'motivation': ['Financial gain', 'Espionage'],
 'post_incident_analysis': {'corrective_actions': 'Patch management, '
                                                  'vulnerability scanning',
                            'root_causes': 'Unpatched VMware ESXi '
                                           'vulnerabilities (CVE-2025-22225, '
                                           'CVE-2025-22226, CVE-2025-22224)'},
 'recommendations': 'Patch VMware ESXi, Fusion, Cloud Foundation, vSphere, '
                    'Workstation, and Telco Cloud Platform systems immediately '
                    'to mitigate CVE-2025-22225, CVE-2025-22226, and '
                    'CVE-2025-22224.',
 'references': [{'source': 'CISA'},
                {'source': 'Huntress'},
                {'source': 'GreyNoise'}],
 'regulatory_compliance': {'regulatory_notifications': 'CISA Binding '
                                                       'Operational Directive '
                                                       '(BOD) 22-01'},
 'response': {'containment_measures': 'Patching (March 2025)',
              'remediation_measures': 'Application of security updates for '
                                      'CVE-2025-22225, CVE-2025-22226, '
                                      'CVE-2025-22224',
              'third_party_assistance': 'Huntress, GreyNoise'},
 'stakeholder_advisories': 'Federal agencies mandated to patch by March 25, '
                           '2025 under BOD 22-01',
 'threat_actor': 'Chinese-speaking threat actors, ransomware gangs',
 'title': 'Ransomware Gangs Exploit Critical VMware ESXi Sandbox Escape Flaw',
 'type': 'Ransomware',
 'vulnerability_exploited': ['CVE-2025-22225',
                             'CVE-2025-22226',
                             'CVE-2025-22224']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.