Analysis Summary

A surge in ransomware attacks exploiting critical VMware vulnerabilities—CVE-2025-22224 (CVSS 9.3), CVE-2025-22225 (CVSS 8.2), and CVE-2025-22226 (CVSS 7.1)—has triggered global alerts. These flaws in ESXi, Workstation, and Fusion enable attackers to escape virtual machine containment, hijack hypervisors, and deploy ransomware across entire infrastructures. Notably, CVE-2025-22224, a heap overflow in VMware’s VMCI driver, allows attackers with VM administrator privileges to execute code on the host. This serves as an entry point for further exploitation via CVE-2025-22225, an arbitrary write flaw granting kernel-level access, while CVE-2025-22226 facilitates credential theft through hypervisor memory leaks, enabling lateral movement within the network. Shadowserver has reported that over 41,500 internet-exposed VMware ESXi hypervisors remain vulnerable to these actively exploited flaws.

Attackers typically breach internet-facing VMs using web shells or stolen credentials, then exploit CVE-2025-22224 to break out of the VM sandbox and execute code on the ESXi host. Privilege escalation via CVE-2025-22225 provides kernel control, while CVE-2025-22226 extracts credentials from memory, allowing adversaries to pivot to vCenter via SSH or exploit misconfigurations. Once inside, attackers encrypt VM disk files (VMDKs) and delete backups from vSphere datastores, rendering businesses inoperable. The healthcare and financial sectors are prime targets, with ransomware operators encrypting critical patient records and financial transactions within 47 minutes of initial access. Ransom demands range from $2–5 million, with double extortion tactics used to pressure victims.

Security teams struggle to detect these attacks due to hypervisor blind spots, log noise, and poor network segmentation. Only 38% of organizations monitor ESXi logs for anomalies, while 72% lack proper segmentation between management interfaces and production networks, making lateral movement easier for attackers. The stealthy nature of these exploits allows threat actors to bypass traditional network defenses, significantly increasing enterprise risk. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added all three CVEs to its Known Exploited Vulnerabilities (KEV) list, reinforcing the urgency to patch affected systems.

Broadcom has released emergency updates to address these vulnerabilities in ESXi (versions 8.0, 7.0, and 6.7), Workstation (17.6.3), and Fusion (13.6.3), urging all VMware customers to patch immediately. Given that these exploits allow complete hypervisor compromise, organizations must identify affected systems, apply patches without delay, monitor for suspicious activity, and review security configurations to prevent further exploitation. Failure to patch leaves enterprises at risk of severe operational disruption, data loss, and financial extortion.

Impact

• Buffer Overflow
• Information Disclosure
• Gain Access
• Security Bypass

Indicators of Compromise

CVE

• CVE-2025-22224

• CVE-2025-22225

• CVE-2025-22226

Affected Vendors

Affected Products

Remediation

• Update VMware ESXi, Workstation, and Fusion to the latest patched versions released by Broadcom.
• Ensure Telco Cloud Platform and VMware Cloud Foundation users apply asynchronous patches.
• Disable unnecessary internet exposure of VMware ESXi hosts.
• Restrict administrative access to VMware management interfaces using firewalls and VPNs.
• Enforce multi-factor authentication (MFA) for vCenter and ESXi management accounts.
• Enable and monitor ESXi logs (/var/log/hostd.log) for VM management anomalies.
• Implement endpoint detection and response (EDR) solutions on VMware hosts.
• Analyze authentication attempts and privilege escalations to detect suspicious activity.
• Apply strict network segmentation between VMware management, production, and backup networks.
• Block unauthorized SSH access to ESXi hosts and vCenter.
• Enforce least privilege access policies for virtualized infrastructure.
• Regularly back up VM disk files (VMDKs) and store them offline or in immutable storage.
• Test disaster recovery plans to ensure rapid restoration in case of ransomware attacks.
• Develop an incident response plan specifically for hypervisor-level compromises.