Ransomware Attacks: A New Threat to VMware ESXi
The cybersecurity world is abuzz with a critical vulnerability in VMware ESXi, a widely-used enterprise virtualization platform. CISA, the US Cybersecurity and Infrastructure Security Agency, has confirmed a disturbing development: ransomware gangs are now exploiting a severe VMware ESXi sandbox escape flaw, which was previously used in stealthy zero-day attacks.
In March 2025, Broadcom addressed this issue by releasing patches for three critical vulnerabilities in VMware ESX products. These included an arbitrary-write vulnerability (CVE-2025-22225), a memory leak (CVE-2025-22226), and a TOCTOU flaw (CVE-2025-22224). The arbitrary-write vulnerability allows a malicious actor with privileges within the VMX process to perform an arbitrary kernel write, ultimately escaping the sandbox. This is a significant concern as it can lead to unauthorized access and potential data breaches.
But here's where it gets controversial: These vulnerabilities have been exploited in the wild for over a year. According to cybersecurity firm Huntress, Chinese-speaking threat actors have likely been using these flaws in sophisticated zero-day attacks since February 2024. This revelation raises questions about the effectiveness of the initial patch and the potential exposure of sensitive data during this period.
CISA has been proactive in addressing this issue. They first added the arbitrary-write vulnerability to their Known Exploited Vulnerabilities (KEV) catalog in March 2025 and mandated federal agencies to secure their systems by the end of the month. More recently, CISA confirmed that this vulnerability is being actively used in ransomware campaigns, although specific details about these attacks remain undisclosed.
A recurring target: VMware products are a frequent target for ransomware gangs and state-sponsored hackers due to their widespread use in enterprise systems that store valuable corporate data. For instance, CISA ordered government agencies to patch a high-severity vulnerability in Broadcom's VMware Aria Operations and VMware Tools software in October, which Chinese hackers had been exploiting since the previous year.
Staying vigilant: CISA has also recently flagged a critical VMware vCenter Server vulnerability as actively exploited and ordered federal agencies to take action. Additionally, cybersecurity firm GreyNoise revealed that CISA had discreetly tagged 59 security flaws as known to be used in ransomware campaigns in 2024 alone.
The takeaway: As cyber threats continue to evolve, organizations must stay vigilant and proactive in patching vulnerabilities. The impact of these exploits can be devastating, especially when sensitive data is at risk. With the increasing sophistication of attacks, the race to secure IT infrastructure is more critical than ever.
