CyberSecurityBoard
Sponsor Register Login

VMware ESXi Vulnerabilities Exploited in Wild to Execute Malicious Code

This critical flaw in VMware’s VMCI (Virtual Machine Communication Interface) allows attackers with local administrative privileges on a virtual machine to execute code on the underlying host. VMware has issued a critical security advisory (VMSA-2025-0004) warning of active exploitation of three vulnerabilities in its ESXi, Workstation, and Fusion products. In July 2024, ransomware groups like Akira and Black Basta exploited CVE-2024-37085, an authentication bypass flaw affecting 20,000+ internet-exposed ESXi servers, to encrypt hypervisors and hosted VMs. With ransomware groups and nation-state actors increasingly targeting hypervisors, organizations must prioritize patch cycles and adopt proactive security measures, including network segmentation and credential hardening. This vulnerability (CVSS 7.1) in VMware’s Host-Guest File System (HGFS) allows attackers with VM admin rights to leak memory from the host’s vmx process. These flaws, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, allow attackers to execute malicious code, escalate privileges, and leak sensitive memory data. Rated “Important” (CVSS 8.2), this flaw permits attackers with VMX process privileges to write arbitrary kernel data, bypassing sandbox protections. The most severe vulnerability, CVE-2025-22224, carries a CVSSv3 score of 9.3 and enables hypervisor-level code execution from a compromised virtual machine. Similarly, the 2022 VMSA-2022-0004 advisory addressed a virtual USB controller flaw enabling VM escapes, underscoring persistent risks in virtualization environments. The Shadowserver Foundation observed over 20,000 internet-facing ESXi instances vulnerable to CVE-2024-37085 as of July 2024, a precursor to the current wave of exploits. VMware confirmed active exploitation in the wild, and Microsoft Threat Intelligence Center was credited with discovering it. VMware notes this vulnerability has also been exploited, though it requires prior access to the VMX environment.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 04 Mar 2025 12:00:03 +0000


Cyber News related to VMware ESXi Vulnerabilities Exploited in Wild to Execute Malicious Code

Investigation of Possible Causes of ESXiArgs Ransomware Attacks Suggests VMware is Not at Fault - Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has denied allegations that two-year-old security flaws have been used in the current ESXiArgs ransomware attacks. Over the weekend, reports surfaced about cybercriminals ...
2 years ago Hackread.com CVE-2021-21974
Linux version of Qilin ransomware focuses on VMware ESXi - A sample of the Qilin ransomware gang's VMware ESXi encryptor has been found and it could be one of the most advanced and customizable Linux encryptors seen to date. Due to this adoption, almost all ransomware gangs have created dedicated VMware ESXi ...
1 year ago Bleepingcomputer.com Qilin
41,500+ VMware ESXi Instances Vulnerable to Code Execution Attacks - We are scanning & reporting out VMware ESXi CVE-2025-22224 vulnerable instances ("a malicious actor with local admin privileges on a virtual machine may exploit this to execute code as virtual machine's VMX process running on ...
1 week ago Cybersecuritynews.com CVE-2025-22224
CISA adds Check Point Quantum Security Gateways and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog - CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities catalog. CISA adds Google Chrome zero-days to its Known Exploited Vulnerabilities catalog. CISA adds ...
9 months ago Securityaffairs.com
No Signs of Unpatched Vulnerabilities Discovered in ESXiArgs Ransomware Attacks - VMware reported on Monday that there is no proof that hackers are using an unknown security flaw, also known as a zero-day, in its software as part of a ransomware attack. Most reports suggest that outdated products with known vulnerabilities that ...
2 years ago Thehackernews.com CVE-2021-21974
VMware fixes critical Cloud Director auth bypass unpatched for 2 weeks - VMware has fixed a critical authentication bypass vulnerability in Cloud Director appliance deployments, a bug that was left unpatched for over two weeks since it was disclosed on November 14th. Cloud Director is a VMware platform that enables admins ...
1 year ago Bleepingcomputer.com CVE-2023-34060
VMWare discloses critical VCD Appliance auth bypass with no patch - VMware disclosed a critical and unpatched authentication bypass vulnerability affecting Cloud Director appliance deployments. Cloud Director enables VMware admins to manage their organizations' cloud services as part of Virtual Data Centers. The auth ...
1 year ago Bleepingcomputer.com CVE-2023-34060
VMware ESXi Vulnerabilities Exploited in Wild to Execute Malicious Code - This critical flaw in VMware’s VMCI (Virtual Machine Communication Interface) allows attackers with local administrative privileges on a virtual machine to execute code on the underlying host. VMware has issued a critical security advisory ...
1 week ago Cybersecuritynews.com Black Basta CVE-2024-37085 Akira
Chinese Espionage Group Has Exploited VMware Flaw Since 2021 - A Chinese espionage group spotted last year by Mandiant researchers abusing a flaw that affected VMware virtualization tools has been exploiting another zero-day vulnerability in VMware's vCenter Server since at least late 2021, according to the ...
1 year ago Securityboulevard.com CVE-2023-34048 CVE-2023-20867
Latest Information Security and Hacking Incidents - The ransomware strain Qilin has surfaced as a new danger to computers using VMware ESXi, which is a recent development in the cryptocurrency space. Concerned observers have expressed concern over the fact that this Qilin Linux version exhibits a ...
1 year ago Cysecurity.news Qilin
VMware urges admins to remove deprecated, vulnerable auth plug-in - VMware urged admins today to remove a discontinued authentication plugin exposed to authentication relay and session hijack attacks in Windows domain environments via two security vulnerabilities left unpatched. The vulnerable VMware Enhanced ...
1 year ago Bleepingcomputer.com CVE-2024-22245 CVE-2024-22250
VMware fixes critical code execution flaw in vCenter Server - VMware issued security updates to fix a critical vCenter Server vulnerability that can be exploited to gain remote code execution attacks on vulnerable servers. vCenter Server is the central management hub for VMware's vSphere suite, and it helps ...
1 year ago Bleepingcomputer.com CVE-2023-34048 CVE-2023-34056
Chinese threat group exploited VMware vulnerability in 2021 - A critical VMware vulnerability that was patched in October was exploited in the wild two years ago by a China-nexus threat actor, according to new research from Mandiant. On Oct. 25, VMware first disclosed an out-of-bounds write vulnerability ...
1 year ago Techtarget.com CVE-2023-34048 CVE-2023-34056 CVE-2023-20867
Ransomware Attack Exploiting an Outdated Vulnerability on Numerous VMware ESXi Servers - Recently, a large-scale ransomware attack has been targeting unpatched and unprotected VMware ESXi servers around the world. The attack, known as ESXiArgs, is exploiting a vulnerability called CVE-2021-21974, which was patched by VMware in February ...
2 years ago Securityweek.com CVE-2021-21974
Chinese Spies Exploited Critical VMware Bug for Nearly 2 Years - One of the most serious VMware vulnerabilities in recent memory was secretly being exploited by a Chinese advanced persistent threat for years before a patch became available. In a sign of just how severe this particular issue was, VMware went so far ...
1 year ago Darkreading.com CVE-2023-34048 CVE-2023-20867
Russians break into Microsoft as Chinese hit VMware users The Register - A VMware security vulnerability has been exploited by Chinese cyberspies since late 2021, according to Mandiant, in what has been a busy week for nation-state espionage news. On Friday VMware confirmed CVE-2023-34048, a critical out-of-bounds write ...
1 year ago Go.theregister.com CVE-2023-34048 Hunters
VMware warns admins of public exploit for vRealize RCE flaw - VMware warned customers on Monday that proof-of-concept exploit code is now available for an authentication bypass flaw in vRealize Log Insight. "Updated VMSA to note that VMware has confirmed that exploit code for CVE-2023-34051 has been published," ...
1 year ago Bleepingcomputer.com CVE-2023-34051
New MOVEit Transfer critical bug is actively exploited - MUST READ. New MOVEit Transfer critical bug is actively exploited. CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. PoC ...
8 months ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 CVE-2023-40044 CVE-2023-20109 Rocke
VMware Patches Vulnerabilities Exploited at Pwn2Own 2024 - Broadcom-owned VMware on Tuesday published a security advisory to inform Workstation and Fusion customers that patches are available for vulnerabilities exploited earlier this year at the Pwn2Own hacking competition. It's worth noting that VMware ...
10 months ago Securityweek.com CVE-2024-22267 CVE-2024-22269 CVE-2024-22270
Broadcom fixes three VMware zero-days exploited in attacks - CVE-2025-22225 is an ESXi arbitrary write vulnerability that allows the VMX process to trigger arbitrary kernel writes, leading to a sandbox escape, while CVE-2025-22226 is described as an HGFS information-disclosure flaw that lets threat actors with ...
1 week ago Bleepingcomputer.com CVE-2025-22225
Check Point released hotfix for actively exploited VPN zero-day - MUST READ. Check Point released hotfix for actively exploited VPN zero-day. Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. Apple ...
9 months ago Securityaffairs.com CVE-2024-23222 CVE-2023-22515 CVE-2023-40044 CVE-2023-20109
14 New DrayTek routers' flaws impacts over 700,000 devices in 168 countries - Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. Multiple flaws in DrayTek ...
5 months ago Securityaffairs.com CVE-2024-45519 CVE-2024-29849 CVE-2024-41585
A largescale ransomware attack is targeting VMware ESXi servers around the world - Administrators, hosting providers, and the French Computer Emergency Response Team have warned that attackers are actively targeting VMware ESXi servers that have not been patched against a two-year-old remote code execution vulnerability to deploy ...
2 years ago Bleepingcomputer.com CVE-2021-21974
CVE-2018-6981 - VMware ESXi 6.7 without ESXi670-201811401-BG and VMware ESXi 6.5 without ESXi650-201811301-BG, VMware ESXi 6.0 without ESXi600-201811401-BG, VMware Workstation 15, VMware Workstation 14.1.3 or below, VMware Fusion 11, VMware Fusion 10.1.3 or below ...
3 years ago
Over 37,000 VMware ESXi servers vulnerable to ongoing attacks - The Shadowserver Foundation reports that most of the vulnerable instances are in China (4,400), followed by France (4,100), the United States (3,800), Germany (2,800), Iran (2,800), and Brazil (2,200). Bill Toulas Bill Toulas is a tech writer and ...
1 week ago Bleepingcomputer.com CVE-2025-22225

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)