Ransomware, Vulnerability Management, Patch/Configuration Management, Threat Intelligence

CISA: Ransomware intrusions exploiting VMware ESXi bug ongoing

BleepingComputer reports that the high-severity VMware ESXi sandbox escape issue, tracked as CVE-2025-22225, was confirmed by the Cybersecurity and Infrastructure Security Agency to have been harnessed in ransomware attacks nearly a year after the flaw was added to the agency's Known Exploited Vulnerabilities catalog.

Additional information regarding the ransomware intrusions involving the bug has been withheld. Huntress researchers recently disclosed that attacks chaining CVE-2025-22225 with other VMware ESXi defects CVE-2025-22226 and CVE-2025-22224, all of which had been patched last March, may have been deployed by Chinese-speaking threat actors since February 2024. Other VMware vulnerabilities recently tagged to be actively exploited by CISA include the critical VMware vCenter Server issue, tracked as CVE-2024-37079, and the high-severity VMware Aria Operations and VMware Tools bug, tracked as CVE-2025-41244.

Such a development also follows a GreyNoise report detailing that CISA had updated ransomware exploitation status on 59 security flaws without alerting network defenders last year.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds