Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that ransomware operators are actively exploiting a high‑severity VMware ESXi sandbox‑escape vulnerability, tracked as CVE‑2025‑22225. The flaw enables attackers with VMX‑level privileges to perform arbitrary kernel writes, escape VM isolation, and seize control of the underlying ESXi host.

Broadcom issued patches for this vulnerability in March 2025 as part of advisory VMSA‑2025‑0004, which also remediated two related zero‑day issues (CVE‑2025‑22224 and CVE‑2025‑22226). CISA has since added CVE‑2025‑22225 to its Known Exploited Vulnerabilities (KEV) catalog and confirmed that it is being weaponized in active ransomware campaigns. Under BOD 22‑01, federal agencies were required to remediate affected systems by March 25, 2025.

Affected Products

Per Broadcom’s advisory, the following VMware platforms contain impacted VMX‑related components:

• VMware ESXi
• VMware Fusion
• VMware Cloud Foundation
• VMware vSphere
• VMware Workstation
• VMware Telco Cloud Platform

Threat Summary & Environment Impact

Threat actors—including clusters assessed to be aligned with Chinese state operations—have been chaining CVE‑2025‑22225 with related vulnerabilities in active campaigns since at least early 2024. In practice, these exploit chains have enabled:

• Reliable full VM sandbox escape

• Hypervisor‑level compromise of ESXi hosts

• Fast, wide‑scale ransomware deployment across multiple workloads in parallel

Successful exploitation enables attackers to:

• Seize control of the ESXi hypervisor
• Access and manipulate all guest virtual machines
• Encrypt virtual disks and datastore structures
• Move laterally across virtualized environments
• Disrupt critical business services at scale

Required Actions: Prevention & Hardening

1. Apply Broadcom Security Patches Immediately

• Deploy patches from VMSA‑2025‑0004 for CVE‑2025‑22224/22225/22226.
• Prioritize ESXi 7.x and 8.x systems.

2. Follow CISA BOD 22‑01 Guidance

• Implement all required remediation steps for on‑prem and cloud systems.
• If mitigation is not possible, discontinue use of affected components.

3. Restrict Privileged Access

• Limit administrative and VMX‑level access to virtualization layers.
• Enforce MFA and robust privileged access management (PAM).

4. Harden ESXi Hosts

• Disable all non‑essential ESXi services.
• Reduce management interface exposure through firewalls and ACLs.
• Ensure VMCI driver protections are enabled and enforced.

5. Monitor for Hypervisor‑Level Anomalies

Use EDR/XDR platforms capable of ESXi telemetry. Monitor for:

• VMX memory abnormalities
• Unusual kernel‑level module activity
• Unexpected VMDK encryption or mass file changes
• Unauthorized logins to management interfaces

6. Enforce Network Isolation

• Place management interfaces on isolated VLANs.
• Block internet exposure to ESXi/vCenter/SSH/UI endpoints.

7. Validate and Test Backups

• Maintain immutable, offline, or air‑gapped backups.
• Regularly test recovery processes and validate VMDK integrity.

Incident Response: If Compromise is Suspected

1. Isolate the Host

• Immediately remove compromised ESXi hosts from the network.
• Disable management access to prevent lateral movement.

2. Collect Forensic Evidence

• Preserve ESXi, VMX, and vCenter logs.
• Capture memory and system snapshots whenever possible.

3. Eradication

• Rebuild ESXi hosts using trusted installation media.
• Rotate all credentials, especially elevated domain credentials.

4. Restore from Known‑Good Backups

• Recover only from verified clean backups.
• Validate VMDKs before reintroducing workloads.

5. Post‑Incident Hardening

• Reassess patching and vulnerability management processes.
• Enable continuous monitoring against KEV‑listed threats.

Bottom Line:

CVE‑2025‑22225 represents a critical threat because it enables compromise of the hypervisor itself, giving attackers the ability to control entire virtualized environments. With confirmed ransomware campaigns actively abusing this flaw, organizations running VMware ESXi must treat patching, configuration hardening, and access control around their hypervisors as an immediate, top‑priority operational requirement.

Sources:

• Bleeping Computer

• NIST.gov

• CISA.gov

Recent Ransomware Variants

Akira Qilin Anubis DEVMAN Ransom House Chaos Beast INC Inspire Play

Hunters Lynx DataLeaks BlackCat Cactus BianLian Black Basta theGentlemen Dragonforce Nightspire Sinobi

Recent Engagement Types

Ransomware w/ On-Site Restoration Web Application Penetration Test BEC (Transfer Fraud, Impersonation)

Executive TTX Web Server Compromise (SEO injection) HIPAA Risk Assessment  Targeted Threat Hunt for IOCs Security Posture Review

Contact us today to learn more about our Digital Forensics and Incident Response (DFIR) services.