VMware ESXi Vulnerabilities Exploited in Wild to Execute Malicious Code

VMware has issued a critical security advisory (VMSA-2025-0004) warning of active exploitation of three vulnerabilities in its ESXi, Workstation, and Fusion products.

These flaws, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, allow attackers to execute malicious code, escalate privileges, and leak sensitive memory data.

The most severe vulnerability, CVE-2025-22224, carries a CVSSv3 score of 9.3 and enables hypervisor-level code execution from a compromised virtual machine.

Vulnerabilities and Exploitation Details

1. CVE-2025-22224: VMCI Heap-Overflow Vulnerability
This critical flaw in VMware’s VMCI (Virtual Machine Communication Interface) allows attackers with local administrative privileges on a virtual machine to execute code on the underlying host.

The vulnerability arises from a time-of-check-to-time-of-use (TOCTOU) race condition, leading to an out-of-bounds write. VMware confirmed active exploitation in the wild, and Microsoft Threat Intelligence Center was credited with discovering it.

2. CVE-2025-22225: ESXi Arbitrary Write Vulnerability
Rated “Important” (CVSS 8.2), this flaw permits attackers with VMX process privileges to write arbitrary kernel data, bypassing sandbox protections. VMware notes this vulnerability has also been exploited, though it requires prior access to the VMX environment.

3. CVE-2025-22226: HGFS Information Disclosure
This vulnerability (CVSS 7.1) in VMware’s Host-Guest File System (HGFS) allows attackers with VM admin rights to leak memory from the host’s vmx process. While less severe, it poses risks for data exfiltration and has been observed in active attacks.

These disclosures follow a pattern of high-severity VMware hypervisor vulnerabilities. In July 2024, ransomware groups like Akira and Black Basta exploited CVE-2024-37085, an authentication bypass flaw affecting 20,000+ internet-exposed ESXi servers, to encrypt hypervisors and hosted VMs.

Similarly, the 2022 VMSA-2022-0004 advisory addressed a virtual USB controller flaw enabling VM escapes, underscoring persistent risks in virtualization environments.

Mitigations

VMware urges immediate patching for all affected products:

• ESXi 8.x: Apply updates listed in the VMSA-2025-0004 response matrix.
• Workstation/Fusion: Upgrade to versions 17.5.2 or 18.5.1.
• Cloud Foundation/Telco Cloud: Deploy updates per VMware’s guidance.

No workarounds exist for these vulnerabilities, emphasizing the urgency of updates. For organizations unable to patch immediately, isolating critical ESXi hosts from non-trusted networks is advised.

Microsoft, which reported the vulnerabilities, highlighted their use in “precision-targeted attacks” likely tied to advanced threat actors. The Shadowserver Foundation observed over 20,000 internet-facing ESXi instances vulnerable to CVE-2024-37085 as of July 2024, a precursor to the current wave of exploits.

VMware’s latest advisory underscores the escalating threats to virtualization infrastructure. With ransomware groups and nation-state actors increasingly targeting hypervisors, organizations must prioritize patch cycles and adopt proactive security measures, including network segmentation and credential hardening. As VMware notes, “delaying updates creates unnecessary risk.”

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.