CISA confirms exploitation of VMware ESXi flaw by ransomware attackers

CVE-2025-22225, a VMware ESXi arbitrary write vulnerability, is being used in ransomware campaigns, CISA confirmed on Wednesday by updating the vulnerability’s entry in its Known Exploited Vulnerabilities (KEV) catalog.

Researchers linked VMware ESXi zero-day trio to single exploit toolkit

Broadcom fixed CVE-2025-22225, CVE-2025-22224 (a heap overflow vulnerability) and CVE-2025-22226 (an information disclosure flaw) in VMware ESXi, Workstation, and Fusion in early March 2025.

At the time of their disclosure, Broadcom said that they have information to suggest that the three vulnerabilities have been exploited in the wild as zero-days, but details about the attacks were not shared. The three flaws were added to CISA’s KEV catalog on the same day.

In January 2026, Huntress researchers observed attackers using an exploit toolkit they believe takes advantage of all three vulnerabilities.

“Based on our analysis of the exploit’s behavior, its use of HGFS for information leaking, VMCI for memory corruption, and shellcode that escapes to the kernel, the Huntress Tactical Response team assesses with moderate confidence that this toolkit leverages these three CVEs,” they said at the time.

They also reported finding evidence suggesting the toolkit may have been developed by Chinese-speaking exploit developers more than a year before VMware’s public disclosure (i.e., in early 2024).

Delayed KEV ransomware flags complicate patch prioritization

Despite past public reports that all three vulnerabilities were being leveraged by ransomware actors, the KEV catalog marks only CVE-2025-22225 as “Known To Be Used in Ransomware Campaigns” at present, while the status of CVE-2025-22224 and CVE-2025-22226 remains “Unknown”.

While the KEV catalog’s primary purpose is to provide US federal civilian agencies with a list of vulnerabilities they are required to remediate by specific deadlines, it is also widely relied upon by private-sector security teams to prioritize patching and mitigation efforts.

Given that these private-sector consumers are far more likely to face ransomware attacks than nation-state cyber-espionage or sabotage campaigns, it is unfortunate for them that CISA often lags in updating the knownRansomwareCampaignUse field on KEV entries.

Although GreyNoise’s Glenn Thorpe recently pointed out that “relying on KEV for prioritization is already a trailing indicator, and waiting for the ransomware flag is even slower,” greater visibility into such updates would still be valuable.

Until CISA decides whether to provide that transparency, Thorpe has offered a practical workaround: an RSS feed that checks the KEV catalog hourly and alerts subscribers whenever CISA flips the knownRansomwareCampaignUse field to “Known”.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!