Ethical Hacking News
A previously patched vulnerability in VMware ESXi has been exploited by ransomware groups, leaving virtual machines open to attack. CVE-2025-22225 is an arbitrary write issue that allows attackers with privileges within the VMX process to trigger an arbitrary kernel write, leading to an escape of the sandbox. This development highlights the importance of regular patch management and vigilance in detecting and responding to advanced threats.
Ransomware groups are exploiting a previously patched vulnerability in VMware ESXi, leaving virtual machines open to attack. The CVE-2025-22225 vulnerability allows attackers with privileges within the VMX process to trigger an arbitrary kernel write, leading to an escape of the sandbox. Initial access was attributed to compromised SonicWall VPNs, and lateral movement using Domain Admin credentials and modification of firewall rules was used. The attack vector involves staging data for exfiltration and deploying a toolkit that targets up to 155 ESXi builds. The vulnerability was patched by Broadcom in March 2025, but some ransomware groups have been exploiting it anyway. Cybersecurity experts advise organizations to ensure their VMware ESXi instances are updated with the latest security patches and implement additional security measures.
In a recent development that has sent shockwaves through the cybersecurity community, researchers have confirmed that ransomware groups are exploiting a previously patched vulnerability in VMware ESXi, leaving virtual machines open to attack. The vulnerability in question, CVE-2025-22225, is an arbitrary write issue in VMware ESXi that allows attackers with privileges within the VMX process to trigger an arbitrary kernel write, leading to an escape of the sandbox.
According to reports from Huntress researchers, the exploitation of this vulnerability has been observed in several high-profile ransomware attacks, with initial access attributed to compromised SonicWall VPNs. The attack vector involves lateral movement using Domain Admin credentials, reconnaissance, and modification of firewall rules to block external access while preserving internal movement. The attackers then staged data for exfiltration, ultimately deploying a toolkit that targets up to 155 ESXi builds.
The VMware ESXi vulnerability in question was first reported in January 2025 by Huntress researchers, who observed Chinese-speaking attackers abusing a hacked SonicWall VPN to deliver a toolkit targeting VMware ESXi. Analysis of attacks observed in December 2025 suggests that the group had early knowledge of three ESXi zero-day vulnerabilities later revealed in March 2025, indicating long-term, covert exploitation of unknown flaws.
The CVE-2025-22225 vulnerability was patched by Broadcom in March 2025, but it appears that some ransomware groups have been exploiting this vulnerability to gain unauthorized access to virtual machines. The exploit chain involves a sophisticated VM escape and appears to have been developed more than a year before the related VMware flaws were publicly disclosed.
According to CISA, the U.S. Cybersecurity and Infrastructure Security Agency has confirmed that ransomware gangs are exploiting CVE-2025-22225. In its advisory, VMSA-2025-0004, VMware confirmed that it had information suggesting that the exploitation of this flaw in attacks in the wild.
The malware toolkit used by the attackers relies on an orchestrator called MAESTRO to manage a full VMware ESXi VM escape. The driver leaks VMX memory to bypass ASLR, abuses HGFS and VMCI flaws, writes shellcode into the VMX process, and escapes to the ESXi kernel. It then deploys a stealthy VSOCK-based backdoor (VSOCKpuppet), enabling persistent remote control of the hypervisor from guest VMs while evading traditional network monitoring and restoring drivers to reduce detection.
The CVE-2025-22225 vulnerability is an arbitrary write issue in VMware ESXi that allows attackers with privileges within the VMX process to trigger an arbitrary kernel write, leading to an escape of the sandbox. The exploit chain involves a sophisticated VM escape and appears to have been developed more than a year before the related VMware flaws were publicly disclosed.
In response to this new development, cybersecurity experts are advising organizations to ensure that their VMware ESXi instances are up-to-date with the latest security patches and to implement additional security measures to prevent unauthorized access to virtual machines. The incident highlights the importance of regular patch management and vigilance in detecting and responding to advanced threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Ransomware-Exploits-VMware-ESXi-Vulnerability-CVE-2025-22225-Leaving-Virtual-Machines-Open-to-Attack-ehn.shtml
https://securityaffairs.com/187637/security/cve-2025-22225-in-vmware-esxi-now-used-in-active-ransomware-attacks.html
https://www.bleepingcomputer.com/news/security/cisa-vmware-esxi-flaw-now-exploited-in-ransomware-attacks/
https://www.archyde.com/cert-bund-warns-2500-vmware-esxi-servers-accessible-on-the-internet-attacks-via-cve-2025-22225-borns-it-and-windows-blogborns-it/
Published: Wed Feb 4 16:32:50 2026 by llama3.2 3B Q4_K_M
