CISA confirmed on Wednesday that ransomware gangs have begun exploiting a high-severity VMware ESXi sandbox escape vulnerability that was previously used in zero-day attacks.
Broadcom patched this ESXi arbitrary-write vulnerability (tracked as CVE-2025-22225) in March 2025 alongside a memory leak (CVE-2025-22226) and a TOCTOU flaw (CVE-2025-22224), and tagged them all as actively exploited zero-days.
“A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox,” Broadcom said about the CVE-2025-22225 flaw.
At the time, the company said that the three vulnerabilities affect VMware ESX products, including VMware ESXi, Fusion, Cloud Foundation, vSphere, Workstation, and Telco Cloud Platform, and that attackers with privileged administrator or root access can chain them to escape the virtual machine’s sandbox.
According to a report published last month by cybersecurity company Huntress, Chinese-speaking threat actors have likely been chaining these flaws in sophisticated zero-day attacks since at least February 2024.
Flagged as exploited in ransomware attacks
In a Wednesday update to its list of vulnerabilities exploited in the wild, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said CVE-2025-22225 is now known to be used in ransomware campaigns but didn’t provide more details about these ongoing attacks.
CISA first added the flaw to its Known Exploited Vulnerabilities (KEV) catalog in March 2025 and ordered federal agencies to secure their systems by March 25, 2025, as mandated by Binding Operational Directive (BOD) 22-01.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable,” the cybersecurity agency says.
Ransomware gangs and state-sponsored hacking groups often target VMware vulnerabilities because VMware products are widely deployed on enterprise systems that commonly store sensitive corporate data.
For instance, in October, CISA ordered government agencies to patch a high-severity vulnerability (CVE-2025-41244) in Broadcom’s VMware Aria Operations and VMware Tools software, which Chinese hackers have exploited in zero-day attacks since October 2024.
More recently, CISA has also tagged a critical VMware vCenter Server vulnerability (CVE-2024-37079) as actively exploited in January and ordered federal agencies to secure their servers by February 13.
In related news, this week, cybersecurity company GreyNoise reported that CISA has “silently” tagged 59 security flaws as known to be used in ransomware campaigns last year alone.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
