CISA Warns of Critical VMware ESXi Flaw Exploited in Ransomware Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding a high-severity vulnerability in VMware ESXi, a widely used virtualization platform. This flaw, tracked as CVE-2025-22225, has been exploited by ransomware gangs, posing a significant threat to enterprise systems.
The vulnerability, discovered by cybersecurity firm Broadcom, allows malicious actors with elevated privileges to trigger arbitrary kernel writes, potentially escaping the sandbox and gaining control of the virtual machine. This issue was initially patched by Broadcom in March 2025, alongside two other vulnerabilities (CVE-2025-22226 and CVE-2025-22224) that were also actively exploited in zero-day attacks.
According to a report by Huntress, Chinese-speaking threat actors have been exploiting these flaws in sophisticated zero-day attacks since at least February 2024. The report highlights the severity of the situation, as these vulnerabilities can be chained together to escape the virtual machine's security sandbox.
CISA's Known Exploited Vulnerabilities (KEV) catalog now includes CVE-2025-22225, indicating that it is being actively used in ransomware campaigns. While CISA did not disclose specific details about these attacks, it has mandated that federal agencies secure their systems by March 25, 2025, to mitigate the risk.
Ransomware gangs and state-sponsored hacking groups often target VMware vulnerabilities due to the widespread deployment of VMware products in enterprise systems. For instance, CISA recently ordered government agencies to patch a high-severity vulnerability in VMware Aria Operations and VMware Tools, which Chinese hackers had been exploiting since October 2024.
Additionally, CISA has tagged a critical VMware vCenter Server vulnerability (CVE-2024-37079) as actively exploited and ordered federal agencies to secure their servers by February 13. The agency has also revealed that it silently tagged 59 security flaws as known to be used in ransomware campaigns last year alone.
The rapid evolution of IT infrastructure presents challenges for manual workflows, emphasizing the need for automated responses and intelligent workflows. As the IT landscape continues to evolve, organizations must stay vigilant and proactive in addressing these emerging security threats.
