VMware ESXi arbitrary-write sandbox escape (CVE-2025-22225)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-22225 is now confirmed in ransomware campaigns, making the VMware ESXi sandbox-escape flaw an active risk for exposed virtualization hosts. Broadcom patched the issue in March 2025 after classifying it as an actively exploited zero-day. The flaw matters because a privileged attacker can trigger an arbitrary kernel write and escape the virtual machine sandbox.
Related Happenings
Terrarium CVE-2026-5752 mitigation guidance
Advisory/Mitigation
First: 22.04.2026 10:16
Last: 22.04.2026 10:16
Sources 1
About this happening:
**CERT/CC** issued mitigation guidance for **Terrarium** deployments exposed to **CVE-2026-5752**, a **sandbox-escape** flaw that can lead to **root code execution**. The advice i...
Terrarium CVE-2026-5752 mitigation guidance
Advisory/MitigationAbout this happening: **CERT/CC** issued mitigation guidance for **Terrarium** deployments exposed to **CVE-2026-5752**, a **sandbox-escape** flaw that can lead to **root code execution**. The advice i...
F5 BIG-IP APM active exploitation wave (CVE-2025-53521)
Exploitation Wave
First: 02.04.2026 11:25
Last: 02.04.2026 11:25
Sources 1
About this happening:
As of **2026-04-02**, ongoing attacks are exploiting **CVE-2025-53521** against **F5 BIG-IP APM** systems, leaving more than **14,000** exposed online and at risk of remote code e...
F5 BIG-IP APM active exploitation wave (CVE-2025-53521)
Exploitation WaveAbout this happening: As of **2026-04-02**, ongoing attacks are exploiting **CVE-2025-53521** against **F5 BIG-IP APM** systems, leaving more than **14,000** exposed online and at risk of remote code e...
UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign
Campaign
First: 17.02.2026 22:15
Last: 17.02.2026 22:15
Sources 1
About this happening:
The **UNC6201** campaign has been exploiting a **Dell zero-day** since **mid-2024**, creating a sustained risk of unauthorized access and stealthy movement across victims' virtual...
UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign
CampaignAbout this happening: The **UNC6201** campaign has been exploiting a **Dell zero-day** since **mid-2024**, creating a sustained risk of unauthorized access and stealthy movement across victims' virtual...
Latest development: 19.02.2026 17:30
CISA added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to secure affected Dell RecoverPoint systems by Saturday, February 21, after Mandiant and Google Threat Intelligence Group (GTIG) said UNC6201 had exploited the flaw since at least mid-2024.
CISA KEV remediation order for CVE-2025-22225
Public Sector Action
First: 04.02.2026 19:38
Last: 04.02.2026 19:38
Sources 1
How related:
CISA first added the flaw to its Known Exploited Vulnerabilities (KEV) catalog in March 2025 and ordered federal agencies to secure their systems by March 25, 2025, as mandated by Binding Operational Directive (BOD) 22-01.
About this happening:
**CISA** added **CVE-2025-22225** to the **Known Exploited Vulnerabilities (KEV)** catalog and ordered **federal agencies** to secure affected systems by **March 25, 2025**. The d...
CISA KEV remediation order for CVE-2025-22225
Public Sector ActionHow related: CISA first added the flaw to its Known Exploited Vulnerabilities (KEV) catalog in March 2025 and ordered federal agencies to secure their systems by March 25, 2025, as mandated by Binding Operational Directive (BOD) 22-01.
About this happening: **CISA** added **CVE-2025-22225** to the **Known Exploited Vulnerabilities (KEV)** catalog and ordered **federal agencies** to secure affected systems by **March 25, 2025**. The d...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector Action
First: 04.02.2026 07:50
Last: 04.02.2026 07:50
Sources 1
About this happening:
**CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector ActionAbout this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
Timeline
-
04.02.2026 19:38 1 articles · 3mo ago
CISA adds CVE-2025-22225 to KEV and sets March 25 deadline
Legal Policy Action UpdateCISA added CVE-2025-22225, the VMware ESXi sandbox-escape / arbitrary-write flaw, to its Known Exploited Vulnerabilities catalog and required federal agencies to secure affected systems by March 25, 2025 under Binding Operational Directive 22-01; Broadcom had patched the flaw in March 2025 after noting that a malicious actor with privileges within the VMX process could trigger an arbitrary kernel write and escape the sandbox.
Show sources
- CISA: VMware ESXi flaw now exploited in ransomware attacks — www.bleepingcomputer.com — 04.02.2026 19:38
-
04.02.2026 19:38 2 articles · 3mo ago
CISA confirms CVE-2025-22225 is used in ransomware campaigns
Initial DisclosureOn 2026-02-04, CISA said CVE-2025-22225 was being used in ransomware campaigns against affected VMware ESXi environments, and Huntress separately assessed that Chinese-speaking threat actors had likely chained the related VMware flaws in sophisticated zero-day attacks since at least February 2024.
Show sources
- CISA: VMware ESXi flaw now exploited in ransomware attacks — www.bleepingcomputer.com — 04.02.2026 19:38
- CISA: VMware ESXi flaw now exploited in ransomware attacks — www.bleepingcomputer.com — 04.02.2026 19:38