Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
Ransomware operators are once again focusing on the virtualization layer, and recent confirmations from U.S. authorities show how exposed enterprise environments have become when hypervisors are left unpatched.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of CVE-2025-22225, a high-severity sandbox escape vulnerability affecting VMware ESXi. The flaw allows attackers to break out of a virtual machine and reach the underlying hypervisor.
Broadcom patched the issue in March 2025, warning that exploitation was already occurring at the time of release. The vulnerability enables ransomware deployment across hypervisors, significantly increasing the potential blast radius of a single compromise.
Technically, CVE-2025-22225 is an arbitrary write vulnerability in VMware ESXi. Rated “Important” with a CVSS score of 8.2, it can be triggered by an attacker who already has privileges within the VMX process, leading to an arbitrary kernel write and loss of sandbox isolation.
The flaw was disclosed together with two other zero-day vulnerabilities: CVE-2025-22224, a heap overflow with a CVSS score of 9.3, and CVE-2025-22226, an information disclosure issue scored at 7.1. All three have been exploited in the wild since at least early 2025.
Attackers have been observed chaining these vulnerabilities to achieve a complete virtual machine escape. This approach allows them to target enterprise hypervisors that often host sensitive data and critical workloads.
On March 4, 2025, CISA added CVE-2025-22225 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply patches by March 25 under Binding Operational Directive 22-01.
Further updates released on February 3, 2026, linked the vulnerability to active ransomware campaigns, even though the specific groups involved were not publicly named. The attacks typically begin with an initial VM compromise, often involving administrative access.
From there, threat actors disable VMCI drivers, load unsigned kernel drivers, and leak VMX memory to bypass address space layout randomization. This enables the deployment of stealthy backdoors such as VSOCKpuppet, which provide persistent hypervisor control while evading network monitoring.
The research highlighting these risks was supported by findings from Broadcom, which confirmed in-the-wild exploitation in its VMSA-2025-0004 advisory. Scans have identified more than 41,500 exposed ESXi instances that remain vulnerable, while Huntress reported a toolkit capable of targeting 155 ESXi builds.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
