CISA has confirmed that ransomware gangs are actively exploiting a high-severity VMware ESXi sandbox escape vulnerability (CVE-2025-22225) that was previously used in zero-day attacks, with Chinese-speaking threat actors likely chaining it with other flaws since early 2024.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a stark warning that ransomware operators are now actively exploiting a critical VMware ESXi vulnerability that was previously observed in sophisticated zero-day attacks. The flaw, tracked as CVE-2025-22225, allows attackers with VMX process privileges to trigger arbitrary kernel writes, enabling them to escape the virtual machine's sandbox and gain deeper access to host systems.
From Zero-Day to Ransomware Weapon
Broadcom patched CVE-2025-22225 in March 2025 alongside two other vulnerabilities: a memory leak (CVE-2025-22226) and a TOCTOU flaw (CVE-2025-22224). All three were initially flagged as actively exploited zero-days, with the company warning that attackers with privileged administrator or root access could chain these flaws to escape virtual machine sandboxes.
The vulnerability affects multiple VMware products including ESXi, Fusion, Cloud Foundation, vSphere, Workstation, and Telco Cloud Platform. According to cybersecurity firm Huntress, Chinese-speaking threat actors have likely been chaining these vulnerabilities in sophisticated attacks since at least February 2024—nearly a year before the official patches were released.
CISA's Escalating Concerns
In its Wednesday update to the Known Exploited Vulnerabilities (KEV) catalog, CISA confirmed that CVE-2025-22225 is now being used in active ransomware campaigns. This marks a dangerous escalation from the initial zero-day exploitation to widespread criminal use.
CISA first added the vulnerability to its catalog in March 2025 and mandated federal agencies to secure their systems by March 25, 2025, under Binding Operational Directive 22-01. The agency's guidance remains clear: "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."
Why VMware Remains a Prime Target
Ransomware gangs and state-sponsored hacking groups consistently target VMware vulnerabilities because these products are widely deployed across enterprise environments where they store and manage critical corporate data. The virtualization layer represents a high-value target since compromising it can provide access to multiple systems simultaneously.
This pattern of VMware targeting continues a concerning trend. In October 2025, CISA ordered government agencies to patch another high-severity vulnerability (CVE-2025-41244) in Broadcom's VMware Aria Operations and VMware Tools software, which Chinese hackers had exploited in zero-day attacks since October 2024.
Most recently, in January 2025, CISA tagged a critical VMware vCenter Server vulnerability (CVE-2024-37079) as actively exploited, giving federal agencies until February 13 to secure their servers.
The Broader Threat Landscape
This week, cybersecurity company GreyNoise reported that CISA has "silently" tagged 59 security flaws as known to be used in ransomware campaigns throughout 2025 alone. This revelation underscores the accelerating pace at which vulnerabilities are being weaponized by criminal groups.
Related vulnerabilities CISA has recently flagged include:
- A five-year-old GitLab flaw being exploited in attacks
- A critical SolarWinds RCE flaw used in active campaigns
- A SolarWinds Web Help Desk flaw now in ransomware operations
- Multiple enterprise software bugs confirmed as actively exploited
Protection and Mitigation
Organizations running VMware infrastructure should immediately:
- Verify all VMware products are updated with the March 2025 security patches
- Review access controls for VMX processes and privileged accounts
- Monitor for unusual sandbox escape attempts or kernel-level modifications
- Implement network segmentation to limit lateral movement if compromise occurs
- Consider additional monitoring for indicators of compromise specific to these vulnerabilities
The exploitation of CVE-2025-22225 demonstrates how quickly vulnerabilities can transition from targeted zero-day attacks to widespread ransomware campaigns. With Chinese-speaking threat actors having likely possessed these capabilities for nearly a year before patches were available, the window for proactive defense has narrowed significantly.
Organizations that have not yet applied the March 2025 VMware patches should treat this as an urgent priority, as the shift from zero-day exploitation to ransomware campaigns typically signals that the vulnerability has been incorporated into automated attack tools available to a broader range of criminal actors.
Comments
Please log in or register to join the discussion