Ethical Hacking News
Over 37,000 internet-exposed VMware ESXi instances are currently vulnerable to a critical out-of-bounds write flaw that is being actively exploited in the wild. This massive exposure underscores a critical failure of cybersecurity measures at many organizations reliant on virtualization for their infrastructure. Prompt action by affected organizations is essential to prevent further attacks and mitigate this vulnerability. Users must stay updated with the latest information from VMware and follow recommended patches to ensure their systems are protected against exploitation.
Over 37,000 internet-exposed VMware ESXi servers are vulnerable to CVE-2025-22224. The vulnerability is being actively exploited in the wild by Broadcom and other attackers. Three critical-severity VCMI heap overflow vulnerabilities are involved: CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. The global reach of this issue affects organizations from different parts of the world, including China, France, the United States, Germany, Iran, and Brazil. Affected organizations must apply available updates and mitigations recommended by Broadcom or discontinue use of the product until patches can be applied. The vulnerability has been observed being exploited for an undisclosed period before public disclosure.
The threat landscape for enterprise IT environments has taken a significant hit as recent data from threat monitoring platform The Shadowserver Foundation reveals that over 37,000 internet-exposed VMware ESXi servers are currently vulnerable to CVE-2025-22224, a critical out-of-bounds write flaw that is being actively exploited in the wild. This massive exposure indicates a catastrophic failure of cybersecurity measures in place at many organizations that rely on virtualization for their infrastructure.
The vulnerability, which was first reported by Shadowserver yesterday, has been confirmed to be used in attacks as zero-days by Broadcom, which also warned customers about it along with two other flaws, CVE-2025-22225 and CVE-2025-22226. These three critical-severity VCMI heap overflow vulnerabilities enable local attackers with administrative privileges on the VM guest to escape the sandbox and execute code on the host as the VMX process.
In a recent report by Microsoft Threat Intelligence Center, the exploitation of these zero-day vulnerabilities was observed for an undisclosed period before being publicly disclosed. The agency noted that no information about the origin of the attacks and their targets has been shared yet, indicating the ongoing threat posed by these exploits.
The impact of this vulnerability is not limited to its severity or exploitability but also its pervasiveness due to the widespread use of VMware ESXi in enterprise IT environments for virtual machine management. The global reach of this issue means that organizations from different parts of the world are affected, including China, France, the United States, Germany, Iran, and Brazil.
Given the severity and widespread impact of this vulnerability, it is imperative for affected organizations to act quickly to address the issue. This includes applying available updates and mitigations recommended by Broadcom or discontinuing use of the product until these patches can be applied. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued a directive urging federal agencies and state organizations to apply the available updates and mitigate or stop using the product.
The Shadowserver Foundation reports that most vulnerable instances are located in China (4,400), followed by France (4,100), the United States (3,800), Germany (2,800), Iran (2,800), and Brazil (2,200). This breakdown highlights the global nature of this issue, underscoring the need for a coordinated response across different regions.
For users seeking information on the ESXi versions that fix CVE-2025-22224, Broadcom has published a bulletin. As no workarounds are currently available to address this vulnerability, it is crucial for affected organizations to take proactive steps to patch their systems as soon as possible.
In light of this critical vulnerability and its active exploitation, users are recommended to consult the vendor's FAQ page and follow any additional recommendations provided by Broadcom or other trusted sources. The severity of CVE-2025-22224 emphasizes the importance of regular security audits and patches in preventing such widespread exposure to attack vectors.
Related Information:
https://www.ethicalhackingnews.com/articles/Global-Hypervisor-Exposures-Over-37000-VMware-ESXi-Servers-Left-Vulnerable-to-Active-Attacks-ehn.shtml
https://www.bleepingcomputer.com/news/security/over-37-000-vmware-esxi-servers-vulnerable-to-ongoing-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2025-22224
https://www.cvedetails.com/cve/CVE-2025-22224/
https://nvd.nist.gov/vuln/detail/CVE-2025-22225
https://www.cvedetails.com/cve/CVE-2025-22225/
https://nvd.nist.gov/vuln/detail/CVE-2025-22226
https://www.cvedetails.com/cve/CVE-2025-22226/
Published: Thu Mar 6 10:18:59 2025 by llama3.2 3B Q4_K_M
