What is the technical nature of CVE-2025-22225?

It is an arbitrary write vulnerability in the VMX process that allows attackers to escape the virtual machine sandbox and execute code on the ESXi host.

Which VMware products are currently affected?

Affected products include VMware ESXi versions 7.0 and 8.0, Workstation 17.x, Fusion 13.x, and VMware Cloud Foundation.

How are threat actors exploiting these vulnerabilities?

Ransomware operators and Chinese-speaking groups chain these flaws to escape isolation, encrypt virtual disks, and move laterally across networks.

What is the deadline for federal agencies to patch these flaws?

CISA has mandated that all Federal Civilian Executive Branch agencies must apply the necessary patches or mitigations by March 25, 2025.

What is the technical cause of CVE-2025-22224?

This TOCTOU vulnerability allows an attacker with local administrative privileges on a guest VM to execute code within the host's VMX process by exploiting memory verification timing.

Attack

CISA Reports Actively Exploited VMware ESXi Flaw in Ransomware Campaigns

published: Feb. 6, 2026

Take action: If you are using VMware ESXi, Fusion, Workstation, Cloud Foundation or Telco Cloud, and have not patched them since March 2025, this is now URGENT. Not only you are actively hacked, now regulators mandate urgent patching. So start patching.

Learn More

CISA is reporting active exploitation of a VMware ESXi flaw after reports that ransomware gangs are using the flaw to breach virtualization environments.

The exploited flaw is CVE-2025-22225 (CVSS score 8.2) - An arbitrary write vulnerability in the VMX process that enables a sandbox escape. By triggering a malicious write to kernel memory, an attacker already possessing VMX privileges can break out of the virtual machine isolation. This grants the attacker high-level privileges and full code execution on the underlying ESXi host.

Broadcom patched it as part of a bigger patch in March 2025. Other flaws patched in the same release:

CVE-2025-22224 (CVSS score 9.3) - A TOCTOU (Time-of-Check Time-of-Use) vulnerability in the VMCI component that leads to an out-of-bounds write. Attackers with local administrative privileges on a guest virtual machine exploit the timing between memory verification and usage to overwrite memory. This allows the attacker to run arbitrary code within the VMX process on the host system.
CVE-2025-22226 (CVSS score 7.1) - An information disclosure vulnerability resulting from an out-of-bounds read in the HGFS. Attackers with administrative access to a guest virtual machine can use this flaw to leak sensitive data from the VMX process memory. This information leak is often chained with other vulnerabilities to facilitate a complete host compromise.

Ransomware operators and threat actors have used these flaws to escape the virtual machine sandbox and gain control over the hypervisor and all hosted guest machines.

The vulnerabilities impact multiple VMware products and versions:

VMware ESXi 7.0 and 8.0
VMware Workstation 17.x
VMware Fusion 13.x
VMware Cloud Foundation 4.5.x and 5.x
VMware Telco Cloud Platform 2.x, 3.x, 4.x, and 5.x
VMware Telco Cloud Infrastructure 2.x and 3.x

Broadcom released fixed versions, such as ESXi 8.0 Update 3d and Workstation 17.6.3, to fix these flaws. CISA has ordered federal agencies to apply these patches by March 25, 2025.

CISA Reports Actively Exploited VMware ESXi Flaw in Ransomware Campaigns

Read More
Notepad++ users targeted in supply chain attack through …
Cisco VPNs not secured with MFA targeted by …
Exploitation campaign targets multiple older critical vulnerabilities in …
VMware reports public exploit of vRealize RCE vulnerability
CISA warns of active attacks legacy PowerPoint flaw