CISA confirmed on Wednesday that ransomware gangs have begun exploiting a high-severity VMware ESXi sandbox escape vulnerability that was beforehand utilized in zero-day assaults.
Broadcom patched this ESXi arbitrary-write vulnerability (tracked as CVE-2025-22225) in March 2025 alongside a reminiscence leak (CVE-2025-22226) and a TOCTOU flaw (CVE-2025-22224), and tagged all of them as actively exploited zero-days.
“A malicious actor with privileges throughout the VMX course of might set off an arbitrary kernel write resulting in an escape of the sandbox,” Broadcom stated in regards to the CVE-2025-22225 flaw.
On the time, the corporate stated that the three vulnerabilities have an effect on VMware ESX merchandise, together with VMware ESXi, Fusion, Cloud Basis, vSphere, Workstation, and Telco Cloud Platform, and that attackers with privileged administrator or root entry can chain them to flee the digital machine’s sandbox.
In accordance with a report printed final month by cybersecurity firm Huntress, Chinese language-speaking menace actors have probably been chaining these flaws in refined zero-day assaults since not less than February 2024.
Flagged as exploited in ransomware assaults
In a Wednesday replace to its checklist of vulnerabilities exploited within the wild, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) stated CVE-2025-22225 is now recognized for use in ransomware campaigns however did not present extra particulars about these ongoing assaults.
CISA first added the flaw to its Identified Exploited Vulnerabilities (KEV) catalog in March 2025 and ordered federal companies to safe their methods by March 25, 2025, as mandated by Binding Operational Directive (BOD) 22-01.
“Apply mitigations per vendor directions, observe relevant BOD 22-01 steerage for cloud providers, or discontinue use of the product if mitigations are unavailable,” the cybersecurity company says.
Ransomware gangs and state-sponsored hacking teams usually goal VMware vulnerabilities as a result of VMware merchandise are extensively deployed on enterprise methods that generally retailer delicate company knowledge.
For example, in October, CISA ordered authorities companies to patch a high-severity vulnerability (CVE-2025-41244) in Broadcom’s VMware Aria Operations and VMware Instruments software program, which Chinese language hackers have exploited in zero-day assaults since October 2024.
Extra just lately, CISA has additionally tagged a important VMware vCenter Server vulnerability (CVE-2024-37079) as actively exploited in January and ordered federal companies to safe their servers by February 13.
In associated information, this week, cybersecurity firm GreyNoise reported that CISA has “silently” tagged 59 safety flaws as recognized for use in ransomware campaigns final 12 months alone.
Trendy IT infrastructure strikes sooner than handbook workflows can deal with.
On this new Tines information, find out how your crew can cut back hidden handbook delays, enhance reliability by means of automated response, and construct and scale clever workflows on prime of instruments you already use.
