CVE-2025-22225 in VMware ESXi now used in active ransomware attacks

Ransomware groups now exploit VMware ESXi vulnerability CVE-2025-22225, patched by Broadcom in March 2025.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirms that ransomware gangs are exploiting the VMware ESXi sandbox escape flaw CVE-2025-22225.

The vulnerability is an arbitrary write issue in VMware ESXi. An attackers with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.

At the time, the virtualization giant confirmed that it had information suggesting that the exploitation of the flaw in attacks in the wild.

“A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.” reads the advisory.

VMware’s March 2025 advisory VMSA‑2025‑0004 fixed three zero‑days actively exploited in the wild that enable ESXi VM escape and code execution:

• CVE-2025-22226 (CVSS 7.1): An out-of-bounds read in HGFS that allows leaking memory from the VMX process
• CVE-2025-22224 (CVSS 9.3): A TOCTOU vulnerability in VMCI leading to an out-of-bounds write, allowing code execution as the VMX process
• CVE-2025-22225 (CVSS 8.2): An arbitrary write vulnerability in ESXi that allows escaping the VMX sandbox to the kernel

In January, Huntress researchers reported that Chinese-speaking attackers were seen abusing a hacked SonicWall VPN to deliver a toolkit targeting VMware ESXi.

The exploit chain included a sophisticated VM escape and appears to have been developed more than a year before the related VMware flaws were publicly disclosed. Analysis of attacks observed in December 2025 suggests the group had early knowledge of three ESXi zero-day vulnerabilities later revealed in March 2025, indicating long-term, covert exploitation of unknown flaws.

In December 2025, Huntress researchers detected an intrusion that led to the deployment of a VMware ESXi exploit toolkit, with initial access attributed to a compromised SonicWall VPN.

Evidence such as simplified Chinese strings and build paths suggests the toolkit was likely developed as a zero-day more than a year before VMware publicly disclosed the flaws, pointing to a well-resourced Chinese-speaking actor.

The attackers laterally moved using Domain Admin credentials, performed reconnaissance, modified firewall rules to block external access while preserving internal movement, and staged data for exfiltration. The toolkit targeted up to 155 ESXi builds and enabled VM escape via disabled VMCI drivers and unsigned kernel drivers, potentially paving the way for ransomware. The attack was ultimately stopped before impact.

The threat actors rely on an orchestrator called MAESTRO to manage a full VMware ESXi VM escape. It disables VMCI drivers, loads an unsigned exploit driver via BYOD techniques, and coordinates exploitation. The driver leaks VMX memory to bypass ASLR, abuses HGFS and VMCI flaws, writes shellcode into the VMX process, and escapes to the ESXi kernel. It then deploys a stealthy VSOCK-based backdoor (VSOCKpuppet), enabling persistent remote control of the hypervisor from guest VMs while evading traditional network monitoring and restoring drivers to reduce detection.

Huntress researchers found evidence that the exploit chain may have been used since at least February 2024.

“The exploit binaries contain PDB paths that offer insight into the development environment.” reads the report published by Huntress.

CISA has updated the CVE-2025-22225 entry in the KEV catalog, confirming the flaw is being exploited in ransomware attacks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)