How can organizations protect themselves from this vulnerability?

Organizations should apply the patches released by Broadcom in March 2025, as well as follow CISA's guidance to secure their systems and prevent exploitation by ransomware groups.

Why is this vulnerability significant?

The widespread use of VMware ESXi in enterprise environments makes this vulnerability a prime target for attackers, potentially leading to significant operational disruptions and data loss.

This entry was generated by Aviatrix’s agentic AI workflow using verified public sources. It has not been reviewed or confirmed by human analysts. This content is provided for research and awareness only and should not be used as the sole basis for security, operational, or policy decisions. The entry may be updated as verification progresses or new information emerges. Aviatrix disclaims all liability for any and all damages resulting from decisions based on this entry.

Ransomware Groups Exploit VMware ESXi Vulnerability in 2026

In February 2026, ransomware operators began exploiting a patched VMware ESXi vulnerability, leading to significant disruptions. Discover the details and learn how to protect your organization.

Published: February 5, 2026

Share this on:

Executive Summary

In March 2025, Broadcom patched a high-severity VMware ESXi vulnerability (CVE-2025-22225) that allowed attackers with VMX process privileges to perform arbitrary kernel writes, leading to sandbox escapes. Despite the patch, by February 2026, ransomware groups began exploiting this flaw to gain unauthorized access to ESXi hypervisors, encrypting virtual machines and disrupting critical services. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed these exploitations and added the vulnerability to its Known Exploited Vulnerabilities catalog, urging organizations to apply mitigations or discontinue use if patches are unavailable. This incident underscores the persistent threat posed by unpatched vulnerabilities in widely used virtualization platforms, highlighting the need for timely updates and robust security practices to prevent exploitation by ransomware operators.

Why This Matters Now

The exploitation of CVE-2025-22225 by ransomware groups in February 2026 highlights the critical importance of promptly applying security patches. Organizations using VMware ESXi must ensure their systems are updated to prevent potential breaches and operational disruptions.

Attack Path Analysis

The attack began with the compromise of a virtual machine (VM) through a vulnerable application or stolen credentials. The attacker then exploited CVE-2025-22224 to execute code within the VMX process, leading to a sandbox escape. Subsequently, they leveraged CVE-2025-22225 to perform arbitrary kernel writes, escalating privileges to gain control over the ESXi hypervisor. With hypervisor control, the attacker moved laterally to other VMs and systems within the environment. They established command and control channels to maintain persistent access. Finally, the attacker deployed ransomware across the compromised infrastructure, encrypting data and demanding ransom payments.

Kill Chain Progression

Initial Compromise

Mediuminferred

Privilege Escalation

High

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Lowinferred

Impact

High

Initial Compromise

Description

The attacker gained initial access by exploiting a vulnerable application or using stolen credentials to compromise a virtual machine.

Confidence:

Medium

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2025-22225
CVSS 8.2
An arbitrary write vulnerability in VMware ESXi allows a malicious actor with privileges within the VMX process to trigger an arbitrary kernel write, leading to a sandbox escape.
Affected Products:
VMware ESXi – All versions prior to the patch released in March 2025
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-22225 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-22225 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

MITRE ATT&CK® Techniques

Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.

Defense Evasion

T1497

Virtualization/Sandbox Evasion

Initial Access

T1200

Hardware Additions

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Impact

T1499

Endpoint Denial of Service

Impact

T1486

Data Encrypted for Impact

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

Control ID: 6.2

Failure to promptly apply patches for known vulnerabilities like CVE-2025-22225 exposes systems to exploitation, compromising cardholder data security.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

Not addressing known vulnerabilities in a timely manner indicates deficiencies in the cybersecurity policy, potentially leading to regulatory non-compliance.

DORA – ICT Risk Management Framework

Control ID: Article 5

Inadequate management of ICT risks, such as unpatched vulnerabilities, undermines the resilience and security of financial entities' operations.

CISA ZTMM 2.0 – Asset Management

Control ID: 3.1

Lack of proper asset management and vulnerability remediation processes can lead to unauthorized access and control over critical systems.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

Failure to implement appropriate risk management measures, including timely patching of known vulnerabilities, can result in significant security incidents.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Information Technology/IT

VMware ESXi ransomware exploitation directly threatens IT infrastructure providers managing virtualized environments, requiring immediate patching and zero trust segmentation implementation.

Health Care / Life Sciences

Healthcare organizations face critical risk from ESXi sandbox escape attacks targeting patient data systems, with HIPAA compliance violations and operational disruption potential.

Financial Services

Banking and financial institutions using VMware virtualization infrastructure are vulnerable to ransomware attacks exploiting CVE-2025-22225, threatening sensitive financial data protection.

Government Administration

Federal agencies must comply with CISA's March 25 patching deadline for ESXi vulnerabilities, as government systems storing sensitive data are primary ransomware targets.

Sources

CISA: VMware ESXi flaw now exploited in ransomware attackshttps://www.bleepingcomputer.com/news/security/cisa-vmware-esxi-flaw-now-exploited-in-ransomware-attacks/
Verified

CISA Adds Four Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2025/03/04/cisa-adds-four-known-exploited-vulnerabilities-catalog

Verified

NVD - CVE-2025-22225https://nvd.nist.gov/vuln/detail/CVE-2025-22225

Verified

Frequently Asked Questions

CVE-2025-22225 is a high-severity vulnerability in VMware ESXi that allows attackers with VMX process privileges to perform arbitrary kernel writes, leading to sandbox escapes and potential system compromise.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's initial access may have been constrained by identity-aware policies, reducing unauthorized entry points.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges could have been limited by strict segmentation policies, reducing the scope of access.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement would likely have been constrained by east-west traffic controls, reducing unauthorized access between workloads.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's command and control channels may have been detected and disrupted through enhanced visibility and control across multicloud environments.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts could have been limited by controlled egress policies, reducing unauthorized data transfers.

Impact (Mitigations)

The attacker's ability to deploy ransomware may have been constrained by prior segmentation and traffic controls, reducing the overall impact.

Impact at a Glance

Affected Business Functions

Virtualization Infrastructure
Data Center Operations

Operational Disruption

Estimated downtime: 14 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Potential exposure of sensitive corporate data stored on virtual machines.

Recommended Actions

• Implement Zero Trust Segmentation to enforce least privilege access and prevent lateral movement within the environment.
• Deploy East-West Traffic Security controls to monitor and restrict internal traffic, detecting unauthorized movements.
• Utilize Multicloud Visibility & Control solutions to gain comprehensive insights into network activities and identify anomalies.
• Apply Inline IPS (Suricata) to detect and prevent exploitation attempts of known vulnerabilities like CVE-2025-22224 and CVE-2025-22225.
• Ensure timely patch management to address vulnerabilities promptly and reduce the attack surface.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Get a Free Workload Attack Path Assessment Under Active Attack?

Ransomware Groups Exploit VMware ESXi Vulnerability in 2026

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2025-22225

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Virtualization/Sandbox Evasion

Hardware Additions

Exploitation for Privilege Escalation

Endpoint Denial of Service

Data Encrypted for Impact

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Asset Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Information Technology/IT

Health Care / Life Sciences

Financial Services

Government Administration

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads