ACCORDING to The U.S. Cybersecurity and Infrastructure Security Agency (CISA), ransomware groups are now exploiting CVE-2025-22225 in VMware ESXi, a sandbox-escape vulnerability patched by Broadcom in March 2025. The flaw allows an arbitrary write by an attacker with privileges within the VMX process to escape the ESXi sandbox and potentially deploy ransomware, with VMware noting in its advisory that exploitation in attacks in the wild had been observed.
The March 2025 advisory VMSA-2025-0004 fixed three zero-days exploited in the wild, including CVE-2025-22225 (and CVE-2025-22226 and CVE-2025-22224), which enable VM escape and code execution. Huntress researchers have linked earlier activity to a Chinese-speaking actor abusing a hacked SonicWall VPN to deliver an ESXi-focused toolkit, suggesting long-term exploitation prior to public disclosure.
The investigation notes an orchestrator named MAESTRO coordinating the exploit chain, and CISA has updated the KEV catalog to reflect that the flaw is being exploited in ransomware attacks.