Executive Summary
In March 2025, Broadcom patched a high-severity VMware ESXi vulnerability (CVE-2025-22225) that allowed attackers with VMX process privileges to perform arbitrary kernel writes, leading to sandbox escapes. Despite the patch, by February 2026, ransomware groups began exploiting this flaw to gain unauthorized access to ESXi hypervisors, encrypting virtual machines and disrupting critical services. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed these exploitations and added the vulnerability to its Known Exploited Vulnerabilities catalog, urging organizations to apply mitigations or discontinue use if patches are unavailable. This incident underscores the persistent threat posed by unpatched vulnerabilities in widely used virtualization platforms, highlighting the need for timely updates and robust security practices to prevent exploitation by ransomware operators.
Why This Matters Now
The exploitation of CVE-2025-22225 by ransomware groups in February 2026 highlights the critical importance of promptly applying security patches. Organizations using VMware ESXi must ensure their systems are updated to prevent potential breaches and operational disruptions.
Attack Path Analysis
The attack began with the compromise of a virtual machine (VM) through a vulnerable application or stolen credentials. The attacker then exploited CVE-2025-22224 to execute code within the VMX process, leading to a sandbox escape. Subsequently, they leveraged CVE-2025-22225 to perform arbitrary kernel writes, escalating privileges to gain control over the ESXi hypervisor. With hypervisor control, the attacker moved laterally to other VMs and systems within the environment. They established command and control channels to maintain persistent access. Finally, the attacker deployed ransomware across the compromised infrastructure, encrypting data and demanding ransom payments.
Kill Chain Progression
Initial Compromise
Description
The attacker gained initial access by exploiting a vulnerable application or using stolen credentials to compromise a virtual machine.
Related CVEs
CVE-2025-22225
CVSS 8.2An arbitrary write vulnerability in VMware ESXi allows a malicious actor with privileges within the VMX process to trigger an arbitrary kernel write, leading to a sandbox escape.
Affected Products:
VMware ESXi – All versions prior to the patch released in March 2025
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Virtualization/Sandbox Evasion
Hardware Additions
Exploitation for Privilege Escalation
Endpoint Denial of Service
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
VMware ESXi ransomware exploitation directly threatens IT infrastructure providers managing virtualized environments, requiring immediate patching and zero trust segmentation implementation.
Health Care / Life Sciences
Healthcare organizations face critical risk from ESXi sandbox escape attacks targeting patient data systems, with HIPAA compliance violations and operational disruption potential.
Financial Services
Banking and financial institutions using VMware virtualization infrastructure are vulnerable to ransomware attacks exploiting CVE-2025-22225, threatening sensitive financial data protection.
Government Administration
Federal agencies must comply with CISA's March 25 patching deadline for ESXi vulnerabilities, as government systems storing sensitive data are primary ransomware targets.
Sources
- CISA: VMware ESXi flaw now exploited in ransomware attackshttps://www.bleepingcomputer.com/news/security/cisa-vmware-esxi-flaw-now-exploited-in-ransomware-attacks/Verified
- CISA Adds Four Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2025/03/04/cisa-adds-four-known-exploited-vulnerabilities-catalogVerified
- NVD - CVE-2025-22225https://nvd.nist.gov/vuln/detail/CVE-2025-22225Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been constrained by identity-aware policies, reducing unauthorized entry points.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited by strict segmentation policies, reducing the scope of access.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement would likely have been constrained by east-west traffic controls, reducing unauthorized access between workloads.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control channels may have been detected and disrupted through enhanced visibility and control across multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts could have been limited by controlled egress policies, reducing unauthorized data transfers.
The attacker's ability to deploy ransomware may have been constrained by prior segmentation and traffic controls, reducing the overall impact.
Impact at a Glance
Affected Business Functions
- Virtualization Infrastructure
- Data Center Operations
Estimated downtime: 14 days
Estimated loss: $500,000
Potential exposure of sensitive corporate data stored on virtual machines.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and prevent lateral movement within the environment.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic, detecting unauthorized movements.
- • Utilize Multicloud Visibility & Control solutions to gain comprehensive insights into network activities and identify anomalies.
- • Apply Inline IPS (Suricata) to detect and prevent exploitation attempts of known vulnerabilities like CVE-2025-22224 and CVE-2025-22225.
- • Ensure timely patch management to address vulnerabilities promptly and reduce the attack surface.
