A surge of ransomware attacks leveraging critical VMware virtualization vulnerabilities has triggered global alerts. Threat actors exploit flaws in ESXi, Workstation, and Fusion products to paralyze enterprise infrastructures.
The vulnerabilities CVE-2025-22224 (CVSS 9.3), CVE-2025-22225 (CVSS 8.2), and CVE-2025-22226 (CVSS 7.1) enable attackers to escape virtual machine (VM) containment, hijack hypervisors, and deploy ransomware across entire clusters.
Shadowserver observed that 41,500+ internet-exposed VMware ESXi hypervisors are vulnerable to CVE-2025-22224, a critical zero-day vulnerability actively exploited in attacks, as of March 4, 2025.
Vulnerability Trio: A Perfect Storm for AttackersCVE-2025-22224, a heap overflow flaw in VMwareβs VMCI driver, allows attackers with VM administrator privileges to execute code on the hostβs VMX process. This serves as the entry point for hypervisor compromise.
Attackers then exploit CVE-2025-22225, an arbitrary write vulnerability, to escalate privileges and gain kernel-level control of ESXi hosts.
Finally, CVE-2025-22226 facilitates credential theft via hypervisor memory leaks, enabling lateral movement to vCenter and other critical systems.
The attack begins with breaching an internet-facing VM, often via web shells or stolen credentials. Once inside, adversaries exploit CVE-2025-22224 to escape the VM sandbox and execute code on the ESXi host.
Privilege escalation via CVE-2025-22225 grants kernel access, while CVE-2025-22226 extracts credentials from memory, bypassing network-based detection.
From the hypervisor, attackers pivot to vCenter via SSH or exploit unpatched vulnerabilities, often leveraging lax inter-subnet firewall rules. The final stage involves encrypting VM disk files (VMDKs) and deleting backups stored in vSphere datastores, crippling business operations, reads Sygnia report.
Security teams face significant monitoring challenges:
Hypervisor Blind Spots: Only 38% of organizations monitor ESXi host logs like /var/log/hostd.log for VM management anomalies.Noise Overload: High-volume VMware logs lack security optimization, allowing attackers to blend in.Segmentation Failures: 72% of affected organizations lacked micro-segmentation between management interfaces and production networks.The healthcare and financial sectors report the highest attack rates, with adversaries encrypting entire patient record systems and transaction databases within 47 minutes of initial access. Ransom demands average $2β5 million, with double extortion tactics threatening data leaks on dark web forums.
Broadcom has already patched the vulnerabilities in VMware products. On March 4, 2025, Broadcom released emergency updates to address three critical vulnerabilities β CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 β affecting several VMware products, including ESXi, Workstation, and Fusion.
Broadcom has released the following fixed versions for affected VMware products:
VMware ESXi 8.0: ESXi80U3d-24585383, ESXi80U2d-24585300VMware ESXi 7.0: ESXi70U3s-24585291VMware ESXi 6.7: ESXi670-202503001VMware Workstation 17.x: 17.6.3VMware Fusion 13.x: 13.6.3Additionally, asynchronous patches are available for VMware Cloud Foundation, while Telco Cloud Platform customers should update to a fixed ESXi version.
Patch Availability >>>
Broadcom is strongly urging all VMware customers to apply these patches immediately. The vulnerabilities are particularly concerning because:
They are being actively exploited in the wild.They allow attackers with administrative access to escape the virtual machine sandbox and potentially compromise all VMs running on the same server.The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added all three CVEs to the Known Exploited Vulnerabilities (KEV) list.Given the critical nature and active exploitation of these vulnerabilities, organizations must identify affected systems, apply the patches as soon as possible, monitor systems for unusual activity, and review their security practices.