CVE-2025-22225

Name of the Vulnerable Software and Affected Versions VMware ESXi (affected versions not specified)

Description VMware ESXi contains an arbitrary write vulnerability. A malicious actor with privileges within the

VMX

process may trigger an arbitrary kernel write, leading to an escape of the sandbox. This vulnerability is actively being exploited in the wild by ransomware groups. Reports indicate that attackers are leveraging this flaw to gain code execution on the host, potentially impacting multiple virtual machines. The exploit toolkit used by attackers leverages

HGFS

(Host-Guest File System) for data exfiltration,

VMCI

(Virtual Machine Communication Interface) for memory corruption, and kernel-level shellcode to escalate privileges. There have been confirmed reports of exploitation, and CISA has added this vulnerability to its KEV catalog. The vulnerability allows attackers to escape the virtual machine's sandbox and gain unrestricted access to host systems.

Recommendations Apply the latest security updates from Broadcom for VMware ESXi. Verify the current version of ESXi in use and follow VMware’s official guidance to deploy the fix immediately. Implement network segmentation to isolate ESXi hosts from critical systems. Restrict access to the

VMX

process using role-based access controls. Regularly audit virtual machine configurations and monitor for anomalous behavior, such as unexpected process creation or unusual outbound traffic.