CISA Flags VMware ESXi CVE-2025-22225 as Exploited in Ransomware Campaigns
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog to indicate that CVE-2025-22225, a high-severity VMware ESXi VMX sandbox escape flaw, is now known to be used in ransomware campaigns. Broadcom patched the issue in March 2025 as part of advisory VMSA-2025-0004, describing CVE-2025-22225 as an arbitrary kernel write reachable by an attacker with privileges in the VMX process, enabling escape from the VMX sandbox to the ESXi kernel. The same advisory also addressed two other zero-days—CVE-2025-22224 (TOCTOU leading to out-of-bounds write/code execution as the VMX process) and CVE-2025-22226 (HGFS out-of-bounds read/memory disclosure)—which Broadcom previously tagged as actively exploited in the wild.
Reporting also tied the ESXi exploitation to earlier sophisticated activity: Huntress described Chinese-speaking threat actors leveraging access via a compromised SonicWall VPN to deliver tooling targeting VMware ESXi and chaining a VM escape technique that appeared to predate public disclosure of the March 2025 ESXi zero-days. Separately, GreyNoise research highlighted a broader KEV-catalog visibility gap, finding that CISA quietly “flipped” dozens of KEV entries during 2025 from “Unknown” to “Known” for ransomware use without prominent public notification—an approach that can materially affect enterprise prioritization when a vulnerability’s status changes to confirmed ransomware exploitation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
GreyNoise reveals unpublicized KEV ransomware-flag changes
On February 4, 2026, Dark Reading reported GreyNoise research showing that CISA had made dozens of unannounced KEV ransomware-status updates during 2025. Thorpe also created an RSS feed to alert defenders when KEV ransomware flags change.
CISA updates KEV to confirm ransomware exploitation of CVE-2025-22225
On or around February 3, 2026, CISA updated the KEV entry for CVE-2025-22225 to show it is known to be used in ransomware campaigns. CISA did not disclose which ransomware groups or incidents were involved.
Huntress publicly reports details of the ESXi exploit toolkit
In January 2026, Huntress disclosed technical findings on an exploit toolkit that likely chained the three VMware ESXi flaws, including use of HGFS, VMCI, kernel-escape shellcode, and a VSOCK-based backdoor. The report linked the tooling to long-term activity by Chinese-speaking exploit developers.
BlueKeep KEV entry updated to show ransomware use
CISA updated the BlueKeep KEV entry in summer 2025 to indicate known ransomware exploitation, years after the vulnerability's original inclusion. The delayed change was cited by GreyNoise as an example of how KEV ransomware flags can lag real-world risk.
CISA adds CVE-2025-22225 to the KEV catalog
CISA added CVE-2025-22225 to its Known Exploited Vulnerabilities catalog on March 4, 2025. Under Binding Operational Directive 22-01, U.S. federal agencies were required to remediate the flaw by March 25, 2025.
Broadcom patches three VMware ESXi zero-days
In early March 2025, Broadcom released VMSA-2025-0004 to patch CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 affecting VMware ESXi. The company said it had indications the flaws had been exploited in the wild as zero-days and warned they could be chained for VM escape and code execution.
CISA silently flips ransomware-use flags on dozens of KEV entries
During 2025, CISA updated multiple KEV entries to change the field indicating whether a vulnerability was known to be used in ransomware campaigns from "Unknown" to "Known" without public notice. GreyNoise researcher Glenn Thorpe later identified 59 such changes by diffing daily KEV snapshots.
Chinese-speaking attackers begin covert ESXi exploit-chain activity
Huntress assessed that Chinese-speaking threat actors were likely using a VMware ESXi exploit chain involving CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 since at least February 2024. Reported activity included use of a compromised SonicWall VPN, an ESXi-focused toolkit, and related persistence and backdoor components.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
CISA: Ransomware intrusions exploiting VMware ESXi bug ongoing | SC Media
scworld.com
Open sourceCISA confirms exploitation of VMware ESXi flaw by ransomware attackers - Help Net Security
helpnetsecurity.com
Open sourceCISA Warns of VMware ESXi 0-day Vulnerability Exploited in Ransomware Attacks
cybersecuritynews.com
Open sourceCVE-2025-22225 in VMware ESXi now used in active ransomware attacks
securityaffairs.com
Open sourceCISA: VMware ESXi flaw now exploited in ransomware attacks
bleepingcomputer.com
Open sourceCISA Makes Unpublicized Ransomware Updates to KEV Catalog
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Flags Actively Exploited VMware vCenter Server RCE (CVE-2024-37079)
**CISA added CVE-2024-37079, a critical VMware vCenter Server vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog after Broadcom indicated it has evidence of in-the-wild exploitation.** The flaw is a **9.8 CVSS** out-of-bounds write/heap-overflow issue in vCenter Server’s **DCERPC** implementation; an attacker with network access can send specially crafted packets that may result in **remote code execution (RCE)**. CISA’s KEV entry does not attribute exploitation to a specific threat actor and lists ransomware use as **unknown**, but the KEV addition triggers mandatory remediation timelines for US federal agencies. Reporting also noted CISA added multiple other enterprise software issues to KEV in a short span (including vulnerabilities affecting **Versa Concerto** and **Zimbra**, plus developer tools), but the vCenter Server item drew specific attention because it was **patched by Broadcom in 2024** and is still being exploited. Broadcom has not publicly provided details on the scope, victims, or exploitation chain beyond acknowledging observed exploitation, reinforcing the need for organizations running vCenter Server to validate exposure and ensure the relevant updates are deployed.
Mar 21, 2026
CISA KEV updates and active exploitation alerts highlight shifting vulnerability risk
CISA’s *Known Exploited Vulnerabilities (KEV) Catalog* continued to expand with newly confirmed in-the-wild exploitation, including the addition of **four CVEs**: `CVE-2019-19006` (Sangoma FreePBX improper authentication), `CVE-2021-39935` (GitLab CE/EE SSRF), `CVE-2025-40551` (SolarWinds Web Help Desk deserialization of untrusted data), and `CVE-2025-64328` (Sangoma FreePBX OS command injection). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch agencies are required to remediate KEV-listed vulnerabilities by CISA’s due dates, and CISA urged non-federal organizations to use KEV as a prioritization input because these flaws are common initial access vectors. Separate reporting highlighted concerns about how CISA communicates changes to KEV metadata tied to ransomware risk: GreyNoise reported that across **59 instances in 2025**, CISA updated KEV entries to reflect **ransomware-associated exploitation** without proactively notifying defenders when the “known ransomware use” flag changed from *Unknown* to *Known*, which can materially affect patch prioritization. In parallel, third-party coverage described a CISA high-priority alert for a **critical KiloView Encoder Series** issue, `CVE-2026-1453` (CVSS **9.8**), caused by **missing authentication for critical functions** that could allow unauthenticated attackers to create/delete administrator accounts and gain full administrative control—posing disruption and lateral-movement risk in broadcast/production networks.
Mar 21, 2026
ESXiArgs Ransomware Exploited Unpatched VMware ESXi Servers Worldwide
A large-scale **ESXiArgs** ransomware campaign hit internet-exposed VMware ESXi servers by exploiting a long-known vulnerability in the OpenSLP service, with incident responders and national authorities warning that many affected systems had not applied available patches. CERT-FR issued an alert on active exploitation affecting VMware ESXi, while broad reporting described widespread compromises across organizations globally as attackers encrypted virtual machine files and dropped ransom notes on hypervisors. VMware said the attacks did **not** stem from a newly discovered zero-day, but from exploitation of older, already patched weaknesses and insecurely exposed services on unsupported or unpatched ESXi versions. The incident renewed scrutiny of VMware security after earlier warnings that threat actors, including state-backed operators, had abused VMware flaws such as `CVE-2020-4006` for initial access, persistence, and privileged movement inside enterprise environments, underscoring the risk posed by internet-facing virtualization infrastructure that lags on patching and hardening.
May 25, 2026