41,500+ VMware ESXi Instances Vulnerable to Code Execution Attacks

We are scanning & reporting out VMware ESXi CVE-2025-22224 vulnerable instances ("a malicious actor with local admin privileges on a virtual machine may exploit this to execute code as virtual machine's VMX process running on host"). It enables attackers with local administrative access to a virtual machine (VM) to execute malicious code on the underlying hypervisor, a breach with catastrophic implications for cloud infrastructure and enterprise networks. Shadowserver observed that 41,500+ internet-exposed VMware ESXi hypervisors as of March 4, 2025, are vulnerable to CVE-2025-22224, a critical zero-day vulnerability actively exploited in attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-22224 to its Known Exploited Vulnerabilities (KEV) catalog on March 4, mandating federal agencies to patch it by March 25, 2025. Organizations must immediately isolate ESXi management interfaces from the internet, audit VM administrative access, and monitor for anomalous VMX process activity. VMware ESXi is widely used in enterprise environments for server consolidation and cloud management, making this vulnerability a high-value target. Broadcom confirmed active exploitation of this flaw alongside two additional vulnerabilities (CVE-2025-22225 and CVE-2025-22226), which attackers chain together to bypass security safeguards. Hypervisor Takeover: Code execution in the VMX context allows disabling security controls, accessing other VMs, or deploying ransomware. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. CVE-2025-22224 (CVSS 9.3) is a Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMware ESXi and Workstation products. This mirrors tactics seen in mid-2024 campaigns exploiting CVE-2024-37085, another ESXi authentication bypass flaw leveraged by ransomware groups. Microsoft Threat Intelligence Center discovered the vulnerabilities and reported them to Broadcom, noting their utility in ransomware and advanced persistent threat (APT) campaigns. Due to the flaw’s low attack complexity, threat actors can leverage existing VM breaches, such as those induced by phishing, or exploit web applications to gain control of the hypervisor. Initial VM Compromise: Attackers gain administrative access to a VM via phishing, credential theft, or application vulnerabilities.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 06 Mar 2025 05:20:15 +0000


Cyber News related to 41,500+ VMware ESXi Instances Vulnerable to Code Execution Attacks

Investigation of Possible Causes of ESXiArgs Ransomware Attacks Suggests VMware is Not at Fault - Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has denied allegations that two-year-old security flaws have been used in the current ESXiArgs ransomware attacks. Over the weekend, reports surfaced about cybercriminals ...
2 years ago Hackread.com CVE-2021-21974
Linux version of Qilin ransomware focuses on VMware ESXi - A sample of the Qilin ransomware gang's VMware ESXi encryptor has been found and it could be one of the most advanced and customizable Linux encryptors seen to date. Due to this adoption, almost all ransomware gangs have created dedicated VMware ESXi ...
1 year ago Bleepingcomputer.com Qilin
41,500+ VMware ESXi Instances Vulnerable to Code Execution Attacks - We are scanning & reporting out VMware ESXi CVE-2025-22224 vulnerable instances ("a malicious actor with local admin privileges on a virtual machine may exploit this to execute code as virtual machine's VMX process running on ...
2 weeks ago Cybersecuritynews.com CVE-2025-22224
No Signs of Unpatched Vulnerabilities Discovered in ESXiArgs Ransomware Attacks - VMware reported on Monday that there is no proof that hackers are using an unknown security flaw, also known as a zero-day, in its software as part of a ransomware attack. Most reports suggest that outdated products with known vulnerabilities that ...
2 years ago Thehackernews.com CVE-2021-21974
VMware fixes critical Cloud Director auth bypass unpatched for 2 weeks - VMware has fixed a critical authentication bypass vulnerability in Cloud Director appliance deployments, a bug that was left unpatched for over two weeks since it was disclosed on November 14th. Cloud Director is a VMware platform that enables admins ...
1 year ago Bleepingcomputer.com CVE-2023-34060
VMWare discloses critical VCD Appliance auth bypass with no patch - VMware disclosed a critical and unpatched authentication bypass vulnerability affecting Cloud Director appliance deployments. Cloud Director enables VMware admins to manage their organizations' cloud services as part of Virtual Data Centers. The auth ...
1 year ago Bleepingcomputer.com CVE-2023-34060
VMware fixes critical code execution flaw in vCenter Server - VMware issued security updates to fix a critical vCenter Server vulnerability that can be exploited to gain remote code execution attacks on vulnerable servers. vCenter Server is the central management hub for VMware's vSphere suite, and it helps ...
1 year ago Bleepingcomputer.com CVE-2023-34048 CVE-2023-34056
Latest Information Security and Hacking Incidents - The ransomware strain Qilin has surfaced as a new danger to computers using VMware ESXi, which is a recent development in the cryptocurrency space. Concerned observers have expressed concern over the fact that this Qilin Linux version exhibits a ...
1 year ago Cysecurity.news Qilin
VMware urges admins to remove deprecated, vulnerable auth plug-in - VMware urged admins today to remove a discontinued authentication plugin exposed to authentication relay and session hijack attacks in Windows domain environments via two security vulnerabilities left unpatched. The vulnerable VMware Enhanced ...
1 year ago Bleepingcomputer.com CVE-2024-22245 CVE-2024-22250
Chinese Espionage Group Has Exploited VMware Flaw Since 2021 - A Chinese espionage group spotted last year by Mandiant researchers abusing a flaw that affected VMware virtualization tools has been exploiting another zero-day vulnerability in VMware's vCenter Server since at least late 2021, according to the ...
1 year ago Securityboulevard.com CVE-2023-34048 CVE-2023-20867
VMware ESXi Vulnerabilities Exploited in Wild to Execute Malicious Code - This critical flaw in VMware’s VMCI (Virtual Machine Communication Interface) allows attackers with local administrative privileges on a virtual machine to execute code on the underlying host. VMware has issued a critical security advisory ...
2 weeks ago Cybersecuritynews.com Black Basta CVE-2024-37085 Akira
Russians break into Microsoft as Chinese hit VMware users The Register - A VMware security vulnerability has been exploited by Chinese cyberspies since late 2021, according to Mandiant, in what has been a busy week for nation-state espionage news. On Friday VMware confirmed CVE-2023-34048, a critical out-of-bounds write ...
1 year ago Go.theregister.com CVE-2023-34048 Hunters
VMware warns admins of public exploit for vRealize RCE flaw - VMware warned customers on Monday that proof-of-concept exploit code is now available for an authentication bypass flaw in vRealize Log Insight. "Updated VMSA to note that VMware has confirmed that exploit code for CVE-2023-34051 has been published," ...
1 year ago Bleepingcomputer.com CVE-2023-34051
Over 37,000 VMware ESXi servers vulnerable to ongoing attacks - The Shadowserver Foundation reports that most of the vulnerable instances are in China (4,400), followed by France (4,100), the United States (3,800), Germany (2,800), Iran (2,800), and Brazil (2,200). Bill Toulas Bill Toulas is a tech writer and ...
2 weeks ago Bleepingcomputer.com CVE-2025-22225
Chinese Spies Exploited Critical VMware Bug for Nearly 2 Years - One of the most serious VMware vulnerabilities in recent memory was secretly being exploited by a Chinese advanced persistent threat for years before a patch became available. In a sign of just how severe this particular issue was, VMware went so far ...
1 year ago Darkreading.com CVE-2023-34048 CVE-2023-20867
A largescale ransomware attack is targeting VMware ESXi servers around the world - Administrators, hosting providers, and the French Computer Emergency Response Team have warned that attackers are actively targeting VMware ESXi servers that have not been patched against a two-year-old remote code execution vulnerability to deploy ...
2 years ago Bleepingcomputer.com CVE-2021-21974
Chinese threat group exploited VMware vulnerability in 2021 - A critical VMware vulnerability that was patched in October was exploited in the wild two years ago by a China-nexus threat actor, according to new research from Mandiant. On Oct. 25, VMware first disclosed an out-of-bounds write vulnerability ...
1 year ago Techtarget.com CVE-2023-34048 CVE-2023-34056 CVE-2023-20867
Ransomware Attack Exploiting an Outdated Vulnerability on Numerous VMware ESXi Servers - Recently, a large-scale ransomware attack has been targeting unpatched and unprotected VMware ESXi servers around the world. The attack, known as ESXiArgs, is exploiting a vulnerability called CVE-2021-21974, which was patched by VMware in February ...
2 years ago Securityweek.com CVE-2021-21974
Broadcom fixes three VMware zero-days exploited in attacks - CVE-2025-22225 is an ESXi arbitrary write vulnerability that allows the VMX process to trigger arbitrary kernel writes, leading to a sandbox escape, while CVE-2025-22226 is described as an HGFS information-disclosure flaw that lets threat actors with ...
2 weeks ago Bleepingcomputer.com CVE-2025-22225
RansomHouse gang automates VMware ESXi attacks with new MrAgent tool - The RansomHouse ransomware operation has created a new tool named 'MrAgent' that automates the deployment of its data encrypter across multiple VMware ESXi hypervisors. RansomHouse is a ransomware-as-a-service operation that emerged in December 2021 ...
1 year ago Bleepingcomputer.com LockBit
Exploit Released for Critical VMware vRealize Log Insight RCE Vulnerability - Horizon3 security researchers have released proof-of-concept code for a VMware vRealize Log Insight vulnerability chain that allows attackers to gain remote code execution on unpatched appliances. VMware patched four security vulnerabilities in its ...
2 years ago Bleepingcomputer.com CVE-2022-22972
CVE-2018-6981 - VMware ESXi 6.7 without ESXi670-201811401-BG and VMware ESXi 6.5 without ESXi650-201811301-BG, VMware ESXi 6.0 without ESXi600-201811401-BG, VMware Workstation 15, VMware Workstation 14.1.3 or below, VMware Fusion 11, VMware Fusion 10.1.3 or below ...
3 years ago
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
No Proof of Unpatched Vulnerabilities Being Used in ESXiArgs Ransomware Assaults VMware - VMware has warned customers to take action as unpatched ESXi servers are being targeted by ESXiArgs ransomware attacks. Hackers are exploiting CVE-2021-21974, a high-severity ESXi remote code execution vulnerability related to OpenSLP that was ...
2 years ago Securityweek.com CVE-2021-21974
Exploiting a VMware Vulnerability to Launch Ransomware Attacks on ESXi Servers - Recently, cybercriminals have been targeting VMware ESXi hypervisors with ransomware attacks. These attacks are believed to be exploiting CVE-2021-21974, which had a patch released on February 23, 2021. VMware's alert stated that the vulnerability ...
2 years ago Thehackernews.com CVE-2021-21974 RansomEXX

Latest Cyber News


Cyber Trends (last 7 days)