74/69 Friday, February 6, 2026
CISA has disclosed that ransomware groups have begun exploiting a VMware ESXi vulnerability related to virtual machine sandbox escape. The flaw, tracked as CVE-2025-22225, was previously used in zero-day attacks and is classified as an arbitrary write vulnerability that could allow attackers with privileges inside the VMX process to write data to the kernel, ultimately enabling a sandbox escape. Broadcom released patches for this vulnerability in March 2025 alongside other issues, including CVE-2025-22226 (memory leak) and CVE-2025-22224 (TOCTOU), both of which have also been identified as actively exploited.
All three vulnerabilities affect multiple VMware products, including VMware ESXi, Fusion, Cloud Foundation, vSphere, Workstation, and Telco Cloud Platform. Attackers with administrator or root-level privileges can chain these vulnerabilities together to break out of a virtual machine and take control of the host system. A report from Huntress indicates that a Chinese-speaking threat group has likely been leveraging these flaws in sophisticated attacks since February 2024. CISA further confirmed that CVE-2025-22225 has already been used in ransomware operations, although technical details of the attacks have not yet been disclosed.
CISA has added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog and ordered federal agencies to implement mitigations within the required timeframe under Binding Operational Directive (BOD) 22-01. Organizations are strongly advised to apply vendor patches, follow cloud security best practices, or consider discontinuing affected products if the risk cannot be mitigated. Experts note that ransomware operators and state-backed attackers frequently target VMware vulnerabilities due to the platform’s widespread use in enterprise environments that store sensitive data. CISA is also tracking additional VMware flaws that continue to be exploited, with reports indicating that at least 59 security vulnerabilities were used in ransomware campaigns over the past year-highlighting the growing risk to IT infrastructure worldwide.