CISA confirmed on Wednesday that ransomware gangs have begun exploiting a high-severity VMware ESXi sandbox escape vulnerability that was beforehand utilized in zero-day assaults.
Broadcom patched this ESXi arbitrary-write vulnerability (tracked as CVE-2025-22225) in March 2025 alongside a reminiscence leak (CVE-2025-22226) and a TOCTOU flaw (CVE-2025-22224), and tagged all of them as actively exploited zero-days.
“A malicious actor with privileges throughout the VMX course of might set off an arbitrary kernel write resulting in an escape of the sandbox,” Broadcom stated in regards to the CVE-2025-22225 flaw.
On the time, the corporate stated that the three vulnerabilities have an effect on VMware ESX merchandise, together with VMware ESXi, Fusion, Cloud Basis, vSphere, Workstation, and Telco Cloud Platform, and that attackers with privileged administrator or root entry can chain them to flee the digital machine’s sandbox.
In keeping with a report printed final month by cybersecurity firm Huntress, Chinese language-speaking risk actors have doubtless been chaining these flaws in subtle zero-day assaults since at the least February 2024.
Flagged as exploited in ransomware assaults
In a Wednesday replace to its listing of vulnerabilities exploited within the wild, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) stated CVE-2025-22225 is now identified for use in ransomware campaigns however did not present extra particulars about these ongoing assaults.
CISA first added the flaw to its Recognized Exploited Vulnerabilities (KEV) catalog in March 2025 and ordered federal companies to safe their methods by March 25, 2025, as mandated by Binding Operational Directive (BOD) 22-01.
“Apply mitigations per vendor directions, observe relevant BOD 22-01 steering for cloud companies, or discontinue use of the product if mitigations are unavailable,” the cybersecurity company says.
Ransomware gangs and state-sponsored hacking teams typically goal VMware vulnerabilities as a result of VMware merchandise are broadly deployed on enterprise methods that generally retailer delicate company information.
For example, in October, CISA ordered authorities companies to patch a high-severity vulnerability (CVE-2025-41244) in Broadcom’s VMware Aria Operations and VMware Instruments software program, which Chinese language hackers have exploited in zero-day assaults since October 2024.
Extra just lately, CISA has additionally tagged a crucial VMware vCenter Server vulnerability (CVE-2024-37079) as actively exploited in January and ordered federal companies to safe their servers by February 13.
In associated information, this week, cybersecurity firm GreyNoise reported that CISA has “silently” tagged 59 safety flaws as identified for use in ransomware campaigns final 12 months alone.
Trendy IT infrastructure strikes sooner than handbook workflows can deal with.
On this new Tines information, find out how your crew can cut back hidden handbook delays, enhance reliability via automated response, and construct and scale clever workflows on prime of instruments you already use.
