🟢 CVE-2025-22225

VMware ESXi contains an arbitrary write vulnerability allowing sandbox escape from the VMX process to kernel level. This is a local privilege escalation vulnerability requiring existing privileged access within the VMX process, not directly exploitable over the internet.

← Back to Overview
LOW_RISK
Risk Level
8.2
CVSS Score
LOCAL
Attack Vector
Privilege Escalation
ATT&CK Tactic
T1068 — Exploitation for Privilege Escalation
ATT&CK Technique
MEDIUM
Deployment Risk
Yes (+457d)
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-03-04

Added to CISA KEV: 2025-03-04 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-22225 is a high-severity arbitrary write vulnerability in VMware ESXi that has been actively exploited in the wild, particularly by ransomware groups [3] [1].

Exploitation and Threat Actor Usage
  • Active Exploitation: The vulnerability was identified as being exploited in the wild prior to its disclosure and patching in March 2025 [3] [1].
  • Ransomware Campaigns: It has been confirmed as a component in global ransomware campaigns [4]. CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog due to its ongoing use by threat actors [1].
Attack Method and Impact
  • Method: The vulnerability is an arbitrary write flaw within the VMX process [5].
  • Requirements: A malicious actor must already have privileges within the VMX process to trigger the arbitrary kernel write [5].
  • Impact: Successful exploitation allows an attacker to escape the VMX sandbox and gain kernel-level access to the hypervisor [1]. This can lead to a full compromise of ESXi and vCenter, enabling adversaries to bypass security controls, move laterally, and deploy ransomware [4].
Affected Versions and Mitigation
VMware released security updates in March 2025 to address this vulnerability [1]. Users are advised to upgrade to the latest patched versions to mitigate the risk [2].
Product VersionStatus / Fixed In
VMware ESXi 8.0Fixed in ESXi80U3d-24585383, ESXi80U2d-24585300 [6]
VMware ESXi 7.0Fixed in ESXi70U3s-24585291 [6]
VMware ESXi 6.7Fixed in ESXi670-202503001 [6]

*Note: VMware's official security advisory (VMSA-2025-0004) should be consulted for the complete response matrix and specific build numbers for all affected VMware products, including vSphere, Cloud Foundation, and Telco Cloud Platform [2].*

Sources

  1. 2025 VMware ESXi Vulnerability Exploited by Ransomware Groups

    CISA has now added CVE-2025-22225 to its Known Exploited Vulnerabilities (KEV) catalog, underscoring ongoing use by ransomware attackers. ... Ransomware groups are actively exploiting CVE‑2025‑22225, a VMware ESXi arbitrary write vulnerability that allows attackers to escape the VMX sandbox and gain…

  2. Critical Zero-day Vulnerabilities in VMware ESXi, Workstation, and...

    VMware's official advisory does not include all affected product versions. VMware's official advisory VMSA-2025-0004 includes a Response Matrix detailing the fixed releases for each product. VMware have also released an FAQ detailing the following: You are affected if you are running any version of…

  3. Support Content Notification - Support Portal - Broadcom support portal

    Notes: VMware by Broadcom has information to suggest that exploitation of CVE-2025-22225 has occurred in the wild. 3c. HGFS information-disclosure vulnerability (CVE-2025-22226) Description: VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds…

  4. Multiple Vulnerabilities in VMware Products | Cyber Security Agency...

    VMware has released security updates to address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) affecting their ESXi, Workstation and Fusion products. These vulnerabilities are reportedly being exploited in ransomware attacks globally.This could lead to a full ESXi and…

  5. CVE-2025-22225 Detail - NVD

    VMware ESXi contains an arbitrary write vulnerability. A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write. ... Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on offic…

  6. CVE-2025-22225: Detection, Impact & Mitigation Guide | Fidelis Security

    Explore CVE-2025-22225—understand its root cause, identify vulnerable systems, and implement detection and mitigation strategies to prevent exploits.Which Systems Are Vulnerable to CVE-2025-22225? Technical Overview. Vulnerability Type: Arbitrary Kernel Write via VMX Process (Sandbox Escape). Affect…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed