Critical VMware ESXi Flaw Lets Hackers Escape Virtual Machines and Deploy Ransomware
Ransomware groups are actively exploiting a critical VMware ESXi sandbox escape vulnerability, allowing hypervisor takeover and full infrastructure compromise, prompting urgent patch warnings from CISA and cybersecurity experts worldwide.
Tech Author
The Cybersecurity and Infrastructure Security Agency (CISA) of the United States has issued a strong warning after establishing that ransomware groups are actively exploiting a significant VMware ESXi vulnerability. The vulnerability, known as CVE-2025-22225, enables attackers to break out of a virtual machine and gain control of the underlying hypervisor, putting entire company networks at risk.
This security vulnerability affects VMware ESXi versions 7.0 and 8.0, which are commonly used by organizations to deploy virtual servers. Broadcom officially addressed the vulnerability in March 2025, however many systems remain unpatched to the present. According to reports, attackers are currently using this vulnerability in real-world ransomware attacks.
CVE-2025-22225 is rated as a high-severity sandbox escape vulnerability (a security flaw that allows an attacker to break out of a restricted or isolated environment and get access to the main system or host) with a CVSS of 8.2. It enables an attacker with some level of access to a virtual machine to perform an inappropriate kernel-level operation. This allows them to exit the virtual environment and take control of the hypervisor, which manages all virtual machines on a server.
The vulnerability has been identified alongside two more critical issues, CVE-2025-22224 and CVE-2025-22226. When combined, these issues make it easier for attackers to completely compromise ESXi servers. Cybercriminals are combining these flaws to deliver ransomware, steal data, and install covert backdoors that are difficult to detect.
The United States Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-22225 to its Known Exploited Vulnerabilities (KEV) list, verifying that it is being exploited in ongoing attacks. Federal authorities were urged to implement updates as soon as possible, however scans reveal that over 41,000 ESXi servers remain vulnerable on the internet. Security experts warn that unpatched ESXi servers are a prime target since they frequently store important company data. Once compromised, attackers can encrypt entire virtual environments, resulting in significant downtime and financial loss.
Organizations are strongly advised to install the latest VMware patches immediately, limit administrative access to virtual machines, and monitor for unusual activity. With ransomware attacks on the rise, keeping virtualization platforms secure is now more important than ever.
This article is based on information from Cyber Security News
