Surge in Ransomware Attacks Exploiting VMware Vulnerabilities Triggers Global Alerts
A wave of ransomware attacks exploiting critical vulnerabilities in VMware virtualization software has raised alarms worldwide. Cybercriminals are targeting flaws in ESXi, Workstation, and Fusion products to disrupt enterprise infrastructures.
The vulnerabilities—CVE-2025-22224 (CVSS 9.3), CVE-2025-22225 (CVSS 8.2), and CVE-2025-22226 (CVSS 7.1)—allow attackers to bypass virtual machine (VM) containment, take control of hypervisors, and spread ransomware across entire server clusters. According to Shadowserver, more than 41,500 internet-exposed VMware ESXi hypervisors remain vulnerable to CVE-2025-22224, a critical zero-day flaw actively exploited in attacks as of March 4, 2025.
Exploiting a Trio of Vulnerabilities
CVE-2025-22224, a heap overflow vulnerability in VMware’s VMCI driver, enables attackers with VM administrator privileges to execute code on the host’s VMX process—acting as a gateway for hypervisor compromise.
From there, attackers leverage CVE-2025-22225, an arbitrary write vulnerability, to escalate privileges and gain kernel-level control of ESXi hosts.
CVE-2025-22226 further facilitates the attack by exposing hypervisor memory, allowing credential theft and enabling lateral movement to vCenter and other critical systems.
Attack Progression
The breach typically begins with an internet-facing VM, often compromised via web shells or stolen credentials. Once inside, attackers exploit CVE-2025-22224 to escape the VM sandbox and execute code on the ESXi host.
With CVE-2025-22225, they escalate privileges to kernel level, while CVE-2025-22226 allows credential harvesting from memory, evading traditional network-based defenses.
From the hypervisor, attackers pivot to vCenter using SSH or exploit unpatched vulnerabilities, often bypassing weak inter-subnet firewall policies. The final stage involves encrypting VM disk files (VMDKs) and deleting backups in vSphere datastores—effectively crippling business operations, according to a report from Sygnia.
Security Monitoring Challenges
Organizations face several challenges in detecting and mitigating these attacks:
- Hypervisor Blind Spots: Only 38% of organizations monitor ESXi logs (e.g., /var/log/hostd.log) for anomalies.
- Log Noise Overload: VMware logs generate high volumes of data, making it easier for attackers to hide malicious activity.
- Segmentation Weaknesses: 72% of affected organizations lack proper micro-segmentation between management interfaces and production networks.
High-Impact Targets and Ransom Demands
The healthcare and financial sectors have reported the highest attack rates, with ransomware encrypting entire patient record systems and transaction databases within 47 minutes of initial access. Ransom demands typically range from $2 million to $5 million, with double extortion tactics threatening data leaks on dark web forums.
VMware Patches and Urgent Mitigation
Broadcom has released emergency patches for the vulnerabilities in VMware products, addressing CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. The following patched versions are now available:
- VMware ESXi 8.0: ESXi80U3d-24585383, ESXi80U2d-24585300
- VMware ESXi 7.0: ESXi70U3s-24585291
- VMware ESXi 6.7: ESXi670-202503001
- VMware Workstation 17.x: 17.6.3
- VMware Fusion 13.x: 13.6.3
Additionally, VMware Cloud Foundation customers can apply asynchronous patches, while Telco Cloud Platform users should update to a fixed ESXi version.
Immediate Action Required
Broadcom strongly urges all VMware customers to apply the patches without delay. These vulnerabilities are especially dangerous because:
- They are actively being exploited in the wild.
- They enable attackers with administrative access to escape VM sandboxes and compromise all VMs on a host.
- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added all three CVEs to its Known Exploited Vulnerabilities (KEV) list.
Given the severity of these threats, organizations must swiftly identify affected systems, apply security updates, monitor for unusual activity, and review their cybersecurity defenses to prevent further breaches.
Found this article interesting? Follow us on X(Twitter) and Instagram to read more exclusive content we post.
