Ransomware attackers exploiting CVE-2025-22225, a VMware ESXi arbitrary write vulnerability, in ransomware campaigns. This has been confirmed by CISA last week and researchers found that all supported and unsupported VMware products are impacted, including VMware ESXi, VMware Workstation Pro / Player (Workstation), VMware Fusion, VMware Cloud Foundation, and VMware Telco Cloud Platform.

CISA updated the vulnerability’s entry in its Known Exploited Vulnerabilities (KEV) catalog which confirms its importance in category of high importance. Also CISA ordered federal agencies to secure their systems by March 25, 2025, as mandated by Binding Operational Directive (BOD) 22-01.

Key findings

• Last year Broadcom fixed CVE-2025-22225, CVE-2025-22224 (a heap overflow vulnerability) and CVE-2025-22226 (an information disclosure flaw) in VMware ESXi, Workstation and Fusion in early March 2025.
• As per Broadcom, the three vulnerabilities have been exploited in the wild as zero-days, but details about the attacks were not shared. The three flaws were added to CISA’s KEV catalog on the same day.
• For threat mitigation the cyber security research firm suggested that mitigations to be applied as per vendor instructions.
• Following applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Threat analysis

As per cyber security firm Huntress , threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed as far back as February 2024. They observed threat actors activity in December 2025. According to them it was a attack that can be grouped in a ransomware attack.

They found the attack exploited three VMware vulnerabilities, that were disclosed as zero-days by Broadcom in March 2025: CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1).

Successful exploitation of the issue could permit a malicious actor with admin privileges to leak memory from the Virtual Machine Executable (VMX) process or execute code as the VMX process.

As per Bleeping computers, the attack exploited three VMware vulnerabilities, that were disclosed as zero-days by Broadcom in March 2025: CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1).

Successful exploitation of the issue could permit a malicious actor with admin privileges to leak memory from the Virtual Machine Executable (VMX) process or execute code as the VMX process.

Alert of organizations

If the three vulnerabilities 3 can be linked together what can be the outcomes.

Incident of such kind allows an attacker to escape the main area target. Here it is Virtual Machine (VM) then gain access to previous ESXi Hypervisor and subsequently access other VM based management network of the exposed VMware cluster.

Sources: https://www.bleepingcomputer.com/news/security/cisa-vmware-esxi-flaw-now-exploited-in-ransomware-attacks/