BleepingComputer reports that the high-severity VMware ESXi sandbox escape issue, tracked as CVE-2025-22225, was confirmed by the Cybersecurity and Infrastructure Security Agency to have been harnessed in ransomware attacks nearly a year after the flaw was added to the agency's Known Exploited Vulnerabilities catalog.Additional information regarding the ransomware intrusions involving the bug has been withheld. Huntress researchers recently disclosed that attacks chaining CVE-2025-22225 with other VMware ESXi defects CVE-2025-22226 and CVE-2025-22224, all of which had been patched last March, may have been deployed by Chinese-speaking threat actors since February 2024. Other VMware vulnerabilities recently tagged to be actively exploited by CISA include the critical VMware vCenter Server issue, tracked as CVE-2024-37079, and the high-severity VMware Aria Operations and VMware Tools bug, tracked as CVE-2025-41244.Such a development also follows a GreyNoise report detailing that CISA had updated ransomware exploitation status on 59 security flaws without alerting network defenders last year.
Ransomware, Vulnerability Management, Patch/Configuration Management, Threat Intelligence
CISA: Ransomware intrusions exploiting VMware ESXi bug ongoing

An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



