**CVE-2025-22225 in VMware ESXi Now Used in Active Ransomware Attacks**

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that ransomware gangs are exploiting the VMware ESXi vulnerability CVE-2025-22225, which was patched by Broadcom in March 2025.

The vulnerability, an arbitrary write issue in VMware ESXi, allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write leading to a sandbox escape. This flaw is being actively exploited in ransomware attacks, according to CISA's latest update to the KEV catalog.

At the time of the initial patch release, virtualization giant VMware confirmed that it had information suggesting that the exploitation of the flaw in attacks in the wild. The company's advisory, VMSA-2025-0004, fixed three zero-days actively exploited in the wild that enable ESXi VM escape and code execution.

The exploit chain used by threat actors relies on an orchestrator called MAESTRO to manage a full VMware ESXi VM escape. This sophisticated attack involves disabling VMCI drivers, loading an unsigned exploit driver via BYOD techniques, coordinating exploitation, leaking VMX memory to bypass ASLR, abusing HGFS and VMCI flaws, writing shellcode into the VMX process, and ultimately escaping to the ESXi kernel.

After escaping the sandbox, the attackers deploy a stealthy VSOCK-based backdoor (VSOCKpuppet), enabling persistent remote control of the hypervisor from guest VMs while evading traditional network monitoring and restoring drivers to reduce detection. Researchers at Huntress have found evidence that this exploit chain may have been used since at least February 2024.

Interestingly, the toolkit targeted up to 155 ESXi builds and enabled VM escape via disabled VMCI drivers and unsigned kernel drivers, potentially paving the way for ransomware attacks. The attackers laterally moved using Domain Admin credentials, performed reconnaissance, modified firewall rules to block external access while preserving internal movement, and staged data for exfiltration.

It's worth noting that Huntress researchers detected an intrusion in December 2025 that led to the deployment of a VMware ESXi exploit toolkit, with initial access attributed to a compromised SonicWall VPN. The evidence suggests that the toolkit was likely developed as a zero-day more than a year before VMware publicly disclosed the flaws, pointing to a well-resourced Chinese-speaking actor.

The CISA's confirmation of the CVE-2025-22225 exploitation in ransomware attacks serves as a stark reminder of the importance of patching and keeping software up-to-date. Organizations are advised to ensure that their systems are patched and follow best practices for securing VMware ESXi environments.

Stay ahead of the threats by following me on Twitter: @securityaffairs, Facebook, and Mastodon.

**Update:** CISA has updated the CVE-2025-22225 entry in the KEV catalog, confirming the flaw is being exploited in ransomware attacks.