The cybersecurity landscape is facing a dire situation as ransomware groups are now actively exploiting critical vulnerabilities in VMware ESXi. On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) revealed that these high-severity flaws, which were previously identified in zero-day attacks, are being weaponized by cybercriminals for ransomware campaigns.
In March 2025, Broadcom addressed a significant security risk related to an arbitrary write vulnerability in VMware ESXi, designated as CVE-2025-22225. This flaw allows malicious actors with sufficient privileges within the VMX process to execute arbitrary kernel writes, potentially leading to a dangerous escape from the sandbox environment. Alongside this vulnerability, two others—a memory leak (CVE-2025-22226) and a Time-of-Check to Time-of-Use (TOCTOU) flaw (CVE-2025-22224)—were also patched, all of which are currently recognized as exploited zero-days.
Broadcom clarified that these vulnerabilities impact a variety of VMware products, including VMware ESXi, Fusion, Cloud Foundation, vSphere, Workstation, and Telco Cloud Platform. Attackers who possess privileged administrator or root access can combine these vulnerabilities to bypass the protective measures of the virtual machine's sandbox.
A report released last month by cybersecurity firm Huntress indicated that threat actors, particularly those communicating in Chinese, have likely been leveraging these vulnerabilities for complex zero-day attacks since at least February 2024.
In a recent update to its catalog of known exploits, CISA confirmed that CVE-2025-22225 is now associated with ongoing ransomware operations, although specific details regarding these attacks were not disclosed. This particular flaw was first added to CISA's Known Exploited Vulnerabilities (KEV) catalog back in March 2025, with federal agencies instructed to secure their systems by March 25, 2025, following the guidance set out in Binding Operational Directive (BOD) 22-01.
CISA has emphasized the importance of following vendor instructions for mitigation, adhering to relevant BOD 22-01 guidelines for cloud services, or discontinuing the use of the affected products if effective mitigations are unavailable. Ransomware groups and state-sponsored hackers are increasingly targeting VMware vulnerabilities due to the widespread deployment of VMware products across enterprise environments, which often contain sensitive corporate data.
For example, in October, CISA mandated that government agencies patch a critical vulnerability (CVE-2025-41244) found in Broadcom’s VMware Aria Operations and VMware Tools software, which had been exploited by Chinese hackers in zero-day attacks since October 2024. Additionally, a more recent critical vulnerability in VMware vCenter Server (CVE-2024-37079) was also flagged by CISA as actively exploited, prompting federal agencies to secure their servers by February 13.
In other developments, this week, cybersecurity company GreyNoise reported that CISA has discreetly identified 59 security vulnerabilities as being known to be exploited in ransomware campaigns throughout the previous year alone.
As we look ahead, the future of IT infrastructure is evolving rapidly, making it crucial for teams to adapt. This brings us to an essential question: Are organizations doing enough to protect their vital assets against these increasingly sophisticated threats? Join the conversation by sharing your thoughts in the comments below.
