Ransomware takes advantage of critical vulnerability in VMware ESXi that breaks the hyperviewer

This week the security community again received an alarm signal: the U.S. Cybersecurity Agency ( CISA confirmed) that ransomware bands have started to exploit a high severity vulnerability in VMware ESXi that had already been used in zero-day attacks. It is not any fault: it is a mechanism that allows an attacker, from within a virtual machine with certain privileges, to compromise the core of the hypervisor and "get out" of the confined environment.

In March 2025 Broadcom (owner of VMware) released patches for a series of related failures - including the vulnerability of arbitrary writing in the kernel traced as CVE-2025-22225, along with a memory leak and a TOCTOU-type error - and already then he qualified them as exploited in nature. The technical description indicates that, if an opponent reaches privileges within the VMX process, it can cause arbitrary writing in the kernel and thus escape from the VM sandbox, something that in practice transforms a virtual machine engaged in a gateway to the rest of the infrastructure.

It is important to understand why such failures are particularly dangerous. In virtualized environments the hypervisor acts as the layer that separates multiple virtual machines and manages shared resources; a vulnerability that allows to break that separation gives the attacker the ability to move laterally, access data from other VMs, or install permanent tools at host level. That's why VMware patches affect a wide range of products - including ESXi, vSphere, Workstation and others - and that's why malicious actors that manage to chain failures with high privileges can get very relevant environmental control.

The CISA confirmation that this vulnerability is now being used in Ransomware campaigns focuses on the real risk for companies and administrations. The agency has already incorporated the vulnerability to its "Known Exploited Vulnerabilities" catalogue and, for federal agencies, has established deadlines and guidelines under the Binding Operational Directive 22-01. The official recommendation is clear: apply the mitigation indicated by the manufacturer, follow the applicable guidance for cloud services or, if no mitigation is available, stop using the product concerned until it can be secured.

This is not the first time in recent months that CISA has identified vulnerabilities in VMware products as exploited in real attacks. The virtualization ecosystem is often an attractive target for criminal groups and state actors because many critical loads and sensitive data are executed on these platforms: compromising the hyperviewer offers a much greater operational return than attacking a single isolated machine. This risk concentration explains the attention given to both security updates and urgent parking orders.

Private research has documented sophisticated campaigns that take advantage of these weaknesses. Cybersecurity companies have published analyses that point to Chinese-speaking actors chaining similar failures in targeted attacks since previous times, suggesting that these vectors have been exploited with persistence and some degree of automation. For those who manage infrastructure, this should be read as a warning: the vectors that today appear in public alerts have often been used in more discreet attacks.

From the operational point of view, the recommendation for IT and security equipment is unequivocal: Plot as soon as possible and follow the supplier's instructions. In addition, it is appropriate to review the privilege settings within virtual machines to minimize accounts and processes with access to the VMX process, to strengthen monitoring of abnormal activities in the hyperviewer and to ensure that backups and response plans are updated and tested. For entities subject to government directives, implementing CISA orders within the time limits is mandatory.

There is also a detection and response component: monitoring commitment indicators associated with sandbox escapes and side movements, and working with intelligence and detection providers to identify early signals. In this sense, independent analysis has criticized that some CISA updates on vulnerabilities exploited in Ransomware campaigns were unvisibly published; organizations dedicated to tracking Internet noise and abuse have tried to shed light on these changes to help defence teams prioritize.

In the end, what is clear is that the combination of vulnerabilities in the virtualization layer offers a vector too attractive for attackers. The practical recommendation for infrastructure managers is simple in terms of priority: fast agar on the patches published by the manufacturer, reduce the attack surface by limiting privileges, and strengthen detection capabilities so as not to depend only on the patch closing the door after someone has already entered.

If you want to consult official sources and expand information, you can review the corresponding entry in the CISA catalogue on exploited vulnerabilities ( CVE-2025-22225 in the CISA catalogue), the note with the additions of March 2025 ( CISA notices, March 4, 2025), the VMware security notices page where corrections are published ( VMware Security Advisories) and contextual analysis of safety and detection companies that have followed these campaigns ( Huntress and GreyNoise).