VMware ESXi Sandbox Escape Flaw Exploited in Ransomware Attacks

First reported

04.02.2026 19:38

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

CISA has confirmed that ransomware gangs are now exploiting a high-severity VMware ESXi sandbox escape vulnerability (CVE-2025-22225), which was previously used in zero-day attacks. The flaw allows privileged attackers within the VMX process to perform arbitrary kernel writes, leading to a sandbox escape. Broadcom patched this vulnerability in March 2025, but it has since been leveraged in ransomware campaigns. The vulnerability affects multiple VMware products, including ESXi, Fusion, Cloud Foundation, vSphere, Workstation, and Telco Cloud Platform.

Timeline

04.02.2026 19:38 1 articles · 5h ago

CVE-2025-22225 Exploited in Ransomware Attacks
CISA confirmed on February 4, 2026, that the high-severity VMware ESXi sandbox escape vulnerability (CVE-2025-22225) is now being exploited in ransomware campaigns. The flaw, which allows arbitrary kernel writes and sandbox escapes, was patched by Broadcom in March 2025 but has since been leveraged by ransomware gangs. CISA added the vulnerability to its KEV catalog in March 2025 and ordered federal agencies to secure their systems by March 25, 2025.
Show sources

CISA: VMware ESXi flaw now exploited in ransomware attacks — www.bleepingcomputer.com — 04.02.2026 19:38
Open in new tab

Information Snippets

CVE-2025-22225 is a high-severity VMware ESXi sandbox escape vulnerability that allows arbitrary kernel writes.
First reported: 04.02.2026 19:38

1 source, 1 article
Show sources
- CISA: VMware ESXi flaw now exploited in ransomware attacks — www.bleepingcomputer.com — 04.02.2026 19:38
Broadcom patched CVE-2025-22225 in March 2025 alongside two other vulnerabilities (CVE-2025-22226 and CVE-2025-22224).
First reported: 04.02.2026 19:38

1 source, 1 article
Show sources
- CISA: VMware ESXi flaw now exploited in ransomware attacks — www.bleepingcomputer.com — 04.02.2026 19:38
CISA added CVE-2025-22225 to its Known Exploited Vulnerabilities (KEV) catalog in March 2025.
First reported: 04.02.2026 19:38

1 source, 1 article
Show sources
- CISA: VMware ESXi flaw now exploited in ransomware attacks — www.bleepingcomputer.com — 04.02.2026 19:38
CISA confirmed that CVE-2025-22225 is now being used in ransomware campaigns.
First reported: 04.02.2026 19:38

1 source, 1 article
Show sources
- CISA: VMware ESXi flaw now exploited in ransomware attacks — www.bleepingcomputer.com — 04.02.2026 19:38
Chinese-speaking threat actors have likely been chaining these flaws in zero-day attacks since at least February 2024.
First reported: 04.02.2026 19:38

1 source, 1 article
Show sources
- CISA: VMware ESXi flaw now exploited in ransomware attacks — www.bleepingcomputer.com — 04.02.2026 19:38

Summary

Timeline

CVE-2025-22225 Exploited in Ransomware Attacks

Information Snippets