CISA Confirms VMware ESXi Flaw Used in Ransomware

CISA updated its Known Exploited Vulnerabilities catalog on February 5 to flag CVE-2025-22225—a VMware ESXi arbitrary write vulnerability—as actively used in ransomware operations. The update confirms what many defenders suspected: the ESXi sandbox escape that Broadcom patched nearly a year ago is now part of the ransomware playbook.

The vulnerability allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write, escaping the virtual machine sandbox to reach the underlying hypervisor. It's one of three related flaws (CVE-2025-22224, a heap overflow, and CVE-2025-22226, an information disclosure bug) that Broadcom patched together in March 2025 and immediately flagged as zero-days under active exploitation.

A Year-Long Head Start

What makes this disclosure particularly concerning is the timeline. According to Huntress researchers, threat actors had been exploiting all three CVEs since at least February 2024—a full year before Broadcom released patches. The exploit toolkit chains the three vulnerabilities together: HGFS for information leaking, VMCI for memory corruption, and custom shellcode that escapes to the ESXi kernel.

Huntress found evidence that the toolkit "may have been developed by Chinese-speaking exploit developers" more than a year before the public disclosure. An orchestrator component called MAESTRO manages the full VM escape sequence, disabling VMCI drivers, loading an unsigned exploit driver via bring-your-own-driver (BYOD) techniques, and coordinating exploitation across the chain.

That this capability has now trickled down from state-level operators to ransomware gangs isn't surprising, but it does change the urgency calculation. We've tracked similar state-to-criminal migration with CISA's recent BrickStorm backdoor advisory, where PRC-developed tools eventually surfaced in broader campaigns. ESXi hosts often run dozens of production VMs. A single compromised hypervisor means every guest OS on that host—databases, domain controllers, file servers—is accessible for encryption.

Affected Products

The vulnerability impacts a broad range of VMware products:

• VMware ESXi
• VMware Workstation
• VMware Fusion
• VMware Cloud Foundation
• VMware vSphere
• VMware Telco Cloud Platform

Organizations running any of these products on unpatched versions should treat this as an emergency. Broadcom released fixes in March 2025, so patches have been available for nearly a year. There's no excuse for delay at this point.

What Organizations Should Do

CISA is directing federal agencies to apply vendor-provided mitigations, follow BOD 22-01 guidance for cloud services, or discontinue product use if patches can't be applied. That guidance applies equally to private sector organizations.

Beyond patching, security teams should audit ESXi host access controls. The exploit requires initial access to a VM with VMX process privileges—so limiting which administrators can modify VM configurations reduces the attack surface. Monitor for unusual driver loading activity on ESXi hosts, and ensure hypervisor management interfaces aren't exposed to the broader network. The same SmarterMail exploit chain now being used in ransomware attacks shows how quickly attackers weaponize exposed management interfaces.

This is also a good moment to review backup architecture. If your backup infrastructure runs on the same ESXi cluster as production workloads, a hypervisor-level compromise puts both online. Air-gapped or off-host backups remain the most reliable defense against ransomware attacks that reach the hypervisor layer.

Why This Matters

CISA quietly flagged 59 vulnerabilities as ransomware-exploited throughout the past year, but the ESXi update stands out because of the target's value. Virtualization infrastructure is the backbone of most enterprise environments. When attackers can escape the VM sandbox and access the hypervisor, they bypass every security control that exists within guest operating systems—endpoint detection, network segmentation, application-level defenses. None of it matters once the hypervisor is compromised.

The transition from nation-state exploitation to commodity ransomware use typically follows a predictable arc, and this flaw is right on schedule. Organizations that delayed patching because "it's just a state-sponsored thing" are now facing the same exploit from financially motivated attackers with far less restraint about what they encrypt. The CISA KEV catalog additions over the past week reinforce the pattern—patch windows are shrinking and the consequences of delay keep growing.