CISA Flags VMware ESXi CVE-2025-22225 as Exploited in Ransomware Campaigns
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog to indicate that CVE-2025-22225, a high-severity VMware ESXi VMX sandbox escape flaw, is now known to be used in ransomware campaigns. Broadcom patched the issue in March 2025 as part of advisory VMSA-2025-0004, describing CVE-2025-22225 as an arbitrary kernel write reachable by an attacker with privileges in the VMX process, enabling escape from the VMX sandbox to the ESXi kernel. The same advisory also addressed two other zero-days—CVE-2025-22224 (TOCTOU leading to out-of-bounds write/code execution as the VMX process) and CVE-2025-22226 (HGFS out-of-bounds read/memory disclosure)—which Broadcom previously tagged as actively exploited in the wild.
Reporting also tied the ESXi exploitation to earlier sophisticated activity: Huntress described Chinese-speaking threat actors leveraging access via a compromised SonicWall VPN to deliver tooling targeting VMware ESXi and chaining a VM escape technique that appeared to predate public disclosure of the March 2025 ESXi zero-days. Separately, GreyNoise research highlighted a broader KEV-catalog visibility gap, finding that CISA quietly “flipped” dozens of KEV entries during 2025 from “Unknown” to “Known” for ransomware use without prominent public notification—an approach that can materially affect enterprise prioritization when a vulnerability’s status changes to confirmed ransomware exploitation.
Sources
1 more from sources like dark reading
Related Stories
CISA Flags Actively Exploited VMware vCenter Server RCE (CVE-2024-37079)
**CISA added CVE-2024-37079, a critical VMware vCenter Server vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog after Broadcom indicated it has evidence of in-the-wild exploitation.** The flaw is a **9.8 CVSS** out-of-bounds write/heap-overflow issue in vCenter Server’s **DCERPC** implementation; an attacker with network access can send specially crafted packets that may result in **remote code execution (RCE)**. CISA’s KEV entry does not attribute exploitation to a specific threat actor and lists ransomware use as **unknown**, but the KEV addition triggers mandatory remediation timelines for US federal agencies. Reporting also noted CISA added multiple other enterprise software issues to KEV in a short span (including vulnerabilities affecting **Versa Concerto** and **Zimbra**, plus developer tools), but the vCenter Server item drew specific attention because it was **patched by Broadcom in 2024** and is still being exploited. Broadcom has not publicly provided details on the scope, victims, or exploitation chain beyond acknowledging observed exploitation, reinforcing the need for organizations running vCenter Server to validate exposure and ensure the relevant updates are deployed.
1 months ago
CISA KEV updates and active exploitation alerts highlight shifting vulnerability risk
CISA’s *Known Exploited Vulnerabilities (KEV) Catalog* continued to expand with newly confirmed in-the-wild exploitation, including the addition of **four CVEs**: `CVE-2019-19006` (Sangoma FreePBX improper authentication), `CVE-2021-39935` (GitLab CE/EE SSRF), `CVE-2025-40551` (SolarWinds Web Help Desk deserialization of untrusted data), and `CVE-2025-64328` (Sangoma FreePBX OS command injection). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch agencies are required to remediate KEV-listed vulnerabilities by CISA’s due dates, and CISA urged non-federal organizations to use KEV as a prioritization input because these flaws are common initial access vectors. Separate reporting highlighted concerns about how CISA communicates changes to KEV metadata tied to ransomware risk: GreyNoise reported that across **59 instances in 2025**, CISA updated KEV entries to reflect **ransomware-associated exploitation** without proactively notifying defenders when the “known ransomware use” flag changed from *Unknown* to *Known*, which can materially affect patch prioritization. In parallel, third-party coverage described a CISA high-priority alert for a **critical KiloView Encoder Series** issue, `CVE-2026-1453` (CVSS **9.8**), caused by **missing authentication for critical functions** that could allow unauthenticated attackers to create/delete administrator accounts and gain full administrative control—posing disruption and lateral-movement risk in broadcast/production networks.
1 months ago
Active Exploitation of Critical RCE Vulnerabilities in Enterprise Infrastructure (Cisco UC and VMware vCenter)
Reports warn of **in-the-wild exploitation** of critical remote code execution vulnerabilities affecting widely deployed enterprise infrastructure. One report describes a purported Cisco Unified Communications zero-day, **CVE-2024-20253**, impacting *Cisco Unified Communications Manager (Unified CM)*, *Cisco Unity Connection*, and *Webex Calling Dedicated Instance*, and claims it enables **unauthenticated command execution** via the web management interface, creating risk of full system compromise and rapid opportunistic scanning of internet-exposed instances. Separately, **CISA added Broadcom VMware vCenter Server CVE-2024-37079** (CVSS 9.8) to the **Known Exploited Vulnerabilities (KEV)** catalog based on evidence of exploitation; the issue is described as a **DCE/RPC heap overflow** that can lead to RCE via specially crafted network packets, and Broadcom updated its advisory to acknowledge observed exploitation. A third item (Rapid7’s Metasploit wrap-up) is not about either of these active-exploitation advisories; it covers new Metasploit modules for unrelated vulnerabilities (e.g., Oracle E-Business Suite **CVE-2025-61882** and Splunk issues), which may increase general exploitation capability but does not substantively corroborate the Cisco or VMware events.
1 months ago