We are scanning & reporting out VMware ESXi CVE-2025-22224 vulnerable instances ("a malicious actor with local admin privileges on a virtual machine may exploit this to execute code as virtual machine's VMX process running on host"). It enables attackers with local administrative access to a virtual machine (VM) to execute malicious code on the underlying hypervisor, a breach with catastrophic implications for cloud infrastructure and enterprise networks. Shadowserver observed that 41,500+ internet-exposed VMware ESXi hypervisors as of March 4, 2025, are vulnerable to CVE-2025-22224, a critical zero-day vulnerability actively exploited in attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-22224 to its Known Exploited Vulnerabilities (KEV) catalog on March 4, mandating federal agencies to patch it by March 25, 2025. Organizations must immediately isolate ESXi management interfaces from the internet, audit VM administrative access, and monitor for anomalous VMX process activity. VMware ESXi is widely used in enterprise environments for server consolidation and cloud management, making this vulnerability a high-value target. Broadcom confirmed active exploitation of this flaw alongside two additional vulnerabilities (CVE-2025-22225 and CVE-2025-22226), which attackers chain together to bypass security safeguards. Hypervisor Takeover: Code execution in the VMX context allows disabling security controls, accessing other VMs, or deploying ransomware. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. CVE-2025-22224 (CVSS 9.3) is a Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMware ESXi and Workstation products. This mirrors tactics seen in mid-2024 campaigns exploiting CVE-2024-37085, another ESXi authentication bypass flaw leveraged by ransomware groups. Microsoft Threat Intelligence Center discovered the vulnerabilities and reported them to Broadcom, noting their utility in ransomware and advanced persistent threat (APT) campaigns. Due to the flaw’s low attack complexity, threat actors can leverage existing VM breaches, such as those induced by phishing, or exploit web applications to gain control of the hypervisor. Initial VM Compromise: Attackers gain administrative access to a VM via phishing, credential theft, or application vulnerabilities.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 06 Mar 2025 05:20:15 +0000