February 11th, 2026

Active Ransomware Exploitation of VMware ESXi Vulnerability (CVE-2025-22225)

High

Our Cyber Threat Intelligence Unit is monitoring CVE-2025-22225, a high-severity VMware ESXi vulnerability disclosed and patched by Broadcom in March 2025. CISA’s KEV Catalog now indicates the vulnerability is known to be used in ransomware campaigns, increasing urgency for organizations running vulnerable ESXi deployments. Attackers with sufficient VMX process privileges can escape the virtual machine sandbox and compromise the ESXi host. While exploitation is not unauthenticated or purely network-based, ransomware operators have demonstrated the ability to chain this vulnerability after gaining initial access to a guest virtual machine, allowing host-level actions and increasing the potential impact. Successful exploitation may result in ransomware deployment, widespread service disruption, and loss of availability in virtualized environments. Organizations are strongly advised to apply vendor patches, assess exposure, and enhance monitoring for suspicious guest-to-host activity that may indicate VM escape attempts.

Technical Details

CVE-ID: CVE-2025-22225
Severity: High (CVSS v3.1 8.2)
Vulnerability Type: Arbitrary Write leading to potential sandbox escape (guest-to-host)
Component Affected: VMware ESXi Hypervisor (VMX process)
Attack Vector: Local
Privileges Required: High (attacker must have privileges within the VMX process)
User Interaction: None
Attack Conditions:
- The attacker must first obtain privileged execution within a guest virtual machine, typically through credential compromise, malware infection, or exploitation of another vulnerability.
- A specially crafted sequence can trigger an arbitrary kernel write, allowing the attacker to escape the VM sandbox and interact with the ESXi host.
- Once the hypervisor context is impacted, attackers may disrupt virtualization services or facilitate ransomware activity affecting hosted workloads.
Exploitation Status:
- Confirmed active exploitation reported by CISA in ransomware campaigns
- Listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog
- Broadcom has acknowledged information suggesting in-the-wild exploitation
- Public exploit code remains limited, but real-world abuse has been observed

Impact

Successful exploitation of CVE-2025-22225 may result in:

Hypervisor Impact: Escape from guest VM isolation boundaries, increasing attacker control
Expanded Ransomware Blast Radius: Ability to affect multiple virtual machines hosted on the same ESXi server
Severe Service Disruption: Outages impacting mission-critical workloads
Data Availability Risks: Increased likelihood of encrypted or inaccessible virtual disks and snapshots
Enterprise-Wide Risk: Compromise of a single ESXi host may cascade across virtualized environments
Increased Extortion Pressure: High operational impact may accelerate ransom demands

Detection Method

Defenders should consider the following detection and validation approaches:

Guest-to-Host Anomaly Detection:
- Unexpected or abnormal behavior originating from guest VMs
- Indicators of sandbox escape or VMX process manipulation
Virtual Machine Activity:
- Sudden bulk VM shutdowns or failures without administrative justification
- Unexpected snapshot deletion or VM configuration changes
Host-Level Indicators:
- Abnormal ESXi host service behavior
- Unexpected hypervisor instability or crashes
Behavioral Anomalies:
- Administrative actions occurring outside approved maintenance windows
- Rapid changes affecting multiple virtual machines in a short time frame
Threat Intelligence Correlation:
- Identification of ESXi versions listed as vulnerable in Broadcom and CISA advisories
- Correlation with known ransomware TTPs targeting virtualization infrastructure

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this Advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Organizations are strongly advised to implement the following mitigations:

Apply Vendor Patches Immediately:
- Upgrade all affected ESXi hosts to Broadcom-provided fixed versions
Restrict Privileged Access:
- Minimize administrative privileges within guest virtual machines
- Apply strict role-based access controls
Harden Monitoring and Logging:
- Enable detailed ESXi and VM logging
- Forward logs to centralized SIEM platforms
- Monitor for anomalous VMX and hypervisor activity
Protect Backup Infrastructure:
- Maintain offline or immutable backups
- Regularly test restoration procedures
Assume Breach for High-Risk Systems:
- Treat previously compromised or high-exposure guest VMs as potential pivot points
- Conduct incident response, credential rotation, and integrity validation where warranted

Conclusion

The active exploitation of CVE-2025-22225 highlights ransomware groups’ growing focus on virtualization infrastructure as a high-impact attack surface. By combining guest-level access with hypervisor escape vulnerabilities, attackers can bypass security controls and significantly increase their impact. We urge organizations to prioritize addressing this vulnerability by promptly applying patches, strengthening privilege controls, and proactively monitoring virtualized environments.

References

https://cybersecuritynews.com/vmware-esxi-0-day-ransomware-attack/

https://www.bleepingcomputer.com/news/security/cisa-vmware-esxi-flaw-now-exploited-in-ransomware-attacks/

https://nvd.nist.gov/vuln/detail/CVE-2025-22225

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

https://teamwin.in/cisa-warns-of-vmware-esxi-0-day-vulnerability-exploited-in-ransomware-attacks/