A laptop screen displaying lines of code with a magnifying glass focused on a 'bug' in the code.

Active VMware Zero-Day Exploits: Security Bypass And Ransomware Threat

VMware has recently been the focus of a rise in ransomware attacks that target fundamental vulnerabilities in its virtualisation software. Attackers are taking advantage of flaws in ESXi, Workstation, and Fusion to disrupt corporate systems.

Broadcom, a well-known US technology company, has warned that hackers are actively targeting three critical vulnerabilities to access its corporate clients’ networks.

Three vulnerabilities, collectively termed “ESXicape” by one security researcher, impact commonly used hypervisor technologies. These hypervisors enable several virtual machines to be controlled on a single server, hence reducing the requirement for actual server space.

Hypervisors decrease physical space requirements while optimising server usage. However, attackers can bypass virtual machine containment due to the vulnerabilities CVE-2025-22224 (CVSS 9.3), CVE-2025-22225 (CVSS 8.2), and CVE-2025-22226 (CVSS 7.1). This vulnerability could result in the spread of ransomware over whole clusters and the hijacking of hypervisors.

According to Shadowserver, there are still more than 41,500 VMware ESXi hypervisors across the internet that are vulnerable to CVE-2025-22224. Attackers are currently exploiting this critical zero-day vulnerability as of 4th March 2025.

From VMware Breach to Hypervisor Control and Ransomware Deployment

Getting access to the hypervisor could allow an attacker to compromise any other virtual machine, including those belonging to other businesses that share a data centre. Furthermore, the attacker can use these vulnerabilities to get out of the virtual machine’s sandbox if they have administrator or root rights.

According to company explanation:

This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access (administrator or root) could move into the hypervisor itself. Broadcom has information to suggest that exploitation of these issues has occurred ‘in the wild’.

Attackers often use web shells or compromised credentials to infiltrate virtual machines exposed to the internet. Once inside, they take advantage of CVE-2025-22224 to run code on the host ESXi. Thereafter, they get kernel access by using CVE-2025-22225 for privilege escalation.

Attackers can use SSH or other unpatched vulnerabilities to go from the compromised hypervisor to vCenter, regularly taking advantage of lax inter-subnet firewall restrictions. According to the Sygnia research, the attack’s last phase encrypts virtual machine disc files (VMDKs) and erases backups kept in vSphere datastores, rendering business activities impossible.

  • CVE-2025-22224: An attacker with VM administrator access can execute malware on the host’s VMX process due to a memory overflow vulnerability in VMware’s VMCI driver. Attackers use it as the first step to exit the virtual machine sandbox. Broadcom classifies this as a critical-severity vulnerability.
  • CVE-2025-22225: It allows the VMX process to initiate kernel writes, making it an arbitrary write vulnerability. Attackers exploit it to get kernel-level access over ESXi hosts, effectively leaving the sandbox.
  • CVE-2025-22226: This HGFS information-disclosure vulnerability allows attackers with administrative privileges to leak memory from the VMX process. The resulting credential theft enables cross migration to vCenter and other critical systems.

Microsoft found in 2024 that many ransomware groups were using a VMware hypervisor vulnerability to spread Black Basta and LockBit malware. Data-stealing strategies that targeted company information included these kinds of attacks.

Attackers used a two-year-old VMware vulnerability in a massive hacking operation called “ESXiArgs” last year. This breach impacted thousands of companies worldwide.

Since then, Broadcom has patched the three vulnerabilities that were exploited before any remedies were available, making them “zero-day” challenges. The company advised users to install the updates promptly as part of emergency security advice.

Security researcher Kevin Beaumont noted on Mastodon that these vulnerabilities are currently being exploited by an unidentified ransomware group. The vulnerability of VMware products is concerning, as a single hack can impact several servers simultaneously, risking confidential company information.

Notably, sectors such as healthcare and finance have experienced the highest attack rates. After gaining access, attackers have, in some cases, encrypted entire transaction databases and patient record systems in as little as 47 minutes. Attackers commonly use double extortion to threaten data dumps on dark web forums, with ransom demands typically ranging from £2 to £5 million.

Broadcom issued emergency patches for VMware products, such as ESXi, Workstation, and Fusion, on March 4, 2025, to fix vulnerabilities CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226.

Organisations must identify impacted systems, apply the patches quickly, keep an eye out for odd activity, and evaluate their security procedures due to the seriousness of these vulnerabilities and their active exploitation.

Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.

Recent posts