The Cybersecurity and Infrastructure Security Agency (CISA) warns that threat actors are exploiting a high-severity security vulnerability in VMware ESXi CVE-2025-22225 in ransomware attacks.
When exploited, the VMware ESXi arbitrary write vulnerability allows an attacker with privileges to escape the sandbox by triggering an arbitrary kernel write.
Broadcom had previously warned that attackers could chain the vulnerability with the out-of-bounds read security vulnerability CVE-2025-22226 and the out-of-bounds write flaw CVE-2025-22224 to compromise the hypervisor.
In March 2025, CISA added CVE-2025-22225 to the list of Known Exploited Vulnerabilities (KEV) and urged federal organizations to patch the security vulnerability by March 25, 2025. Corporations also rely on CISA’s KEV catalog to identify vulnerabilities requiring urgent attention.
On March 4, 2025, VMware released security updates for CVE-2025-22225 and urged organizations to secure their devices. However, end-of-life versions have no fixes, and the vulnerabilities lack workarounds, leaving organizations that cannot apply the recommended security patches exposed.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable,” CISA advised.
However, threat intelligence firm Huntress suggested that threat actors had likely been exploiting the vulnerability since February 2024, before it became public knowledge.
Huntress has observed an emerging trend of threat actors frequently targeting the hypervisor to circumvent endpoint and network security controls.
Chinese hackers exploit VMware ESXi security vulnerability CVE-2025-22225.
While CISA did not provide details, Chinese threat actors are likely behind the campaign based on Simplified Chinese used in path strings.
In one incident, suspected Chinese hackers compromised a SonicWall VPN to exploit the vulnerability and deploy an exploit toolkit that leverages the three security flaws. The toolkit was developed more than a year before, suggesting that the attackers knew about the zero-day vulnerability before it was disclosed.
“Based on our analysis of the exploit’s behavior, its use of HGFS for information leaking, VMCI for memory corruption, and shellcode that escapes to the kernel, the Huntress Tactical Response team assesses with moderate confidence that this toolkit leverages these three CVEs,” Huntress explained.
While the attack was stopped before completion, the threat actors had staged data for exfiltration and were preparing to deploy ransomware.
“Given the nature of ESXi exploitation, this activity could have culminated in a ransomware attack as the end goal, but it was stopped by the Huntress Tactical Response team and the Security Operations Center (SOC),” wrote Huntress.
Meanwhile, the threat intelligence firm believes the exploit toolkit was developed for sale to a broader cybercrime community due to the presence of English documentation.
While the copyright header referenced “XLab”, a Chinese cybersecurity company, Huntress downplayed the association. Nevertheless, the researchers concluded that the exploit toolkit was developed by a well-resourced threat actor.
“The use of simplified Chinese in development paths, combined with the level of sophistication and potential access to zero-day vulnerabilities months before public disclosure, suggests a well-resourced developer likely operating in a Chinese-speaking region.”
So far, it remains unclear how many organizations have been targeted. However, that number is likely to be very small.
About the Author
