CyberSecurityBoard
Sponsor Register Login

VMware ESXi Vulnerabilities Exploited in Wild to Execute Malicious Code

This critical flaw in VMware’s VMCI (Virtual Machine Communication Interface) allows attackers with local administrative privileges on a virtual machine to execute code on the underlying host. VMware has issued a critical security advisory (VMSA-2025-0004) warning of active exploitation of three vulnerabilities in its ESXi, Workstation, and Fusion products. In July 2024, ransomware groups like Akira and Black Basta exploited CVE-2024-37085, an authentication bypass flaw affecting 20,000+ internet-exposed ESXi servers, to encrypt hypervisors and hosted VMs. With ransomware groups and nation-state actors increasingly targeting hypervisors, organizations must prioritize patch cycles and adopt proactive security measures, including network segmentation and credential hardening. This vulnerability (CVSS 7.1) in VMware’s Host-Guest File System (HGFS) allows attackers with VM admin rights to leak memory from the host’s vmx process. These flaws, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, allow attackers to execute malicious code, escalate privileges, and leak sensitive memory data. Rated “Important” (CVSS 8.2), this flaw permits attackers with VMX process privileges to write arbitrary kernel data, bypassing sandbox protections. The most severe vulnerability, CVE-2025-22224, carries a CVSSv3 score of 9.3 and enables hypervisor-level code execution from a compromised virtual machine. Similarly, the 2022 VMSA-2022-0004 advisory addressed a virtual USB controller flaw enabling VM escapes, underscoring persistent risks in virtualization environments. The Shadowserver Foundation observed over 20,000 internet-facing ESXi instances vulnerable to CVE-2024-37085 as of July 2024, a precursor to the current wave of exploits. VMware confirmed active exploitation in the wild, and Microsoft Threat Intelligence Center was credited with discovering it. VMware notes this vulnerability has also been exploited, though it requires prior access to the VMX environment.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 04 Mar 2025 12:00:03 +0000


Cyber News related to VMware ESXi Vulnerabilities Exploited in Wild to Execute Malicious Code

Investigation of Possible Causes of ESXiArgs Ransomware Attacks Suggests VMware is Not at Fault - Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has denied allegations that two-year-old security flaws have been used in the current ESXiArgs ransomware attacks. Over the weekend, reports surfaced about cybercriminals ...
2 years ago Hackread.com CVE-2021-21974
VMware ESXi 8.0 Update 3e Released for Free, What's New! - This marks a significant policy reversal after Broadcom discontinued the free ESXi offering following its acquisition of VMware, a move that had pushed many users toward alternative virtualization platforms. Broadcom has officially reintroduced the ...
6 months ago Cybersecuritynews.com
Linux version of Qilin ransomware focuses on VMware ESXi - A sample of the Qilin ransomware gang's VMware ESXi encryptor has been found and it could be one of the most advanced and customizable Linux encryptors seen to date. Due to this adoption, almost all ransomware gangs have created dedicated VMware ESXi ...
1 year ago Bleepingcomputer.com Qilin
41,500+ VMware ESXi Instances Vulnerable to Code Execution Attacks - We are scanning & reporting out VMware ESXi CVE-2025-22224 vulnerable instances ("a malicious actor with local admin privileges on a virtual machine may exploit this to execute code as virtual machine's VMX process running on ...
8 months ago Cybersecuritynews.com CVE-2025-22224
No Signs of Unpatched Vulnerabilities Discovered in ESXiArgs Ransomware Attacks - VMware reported on Monday that there is no proof that hackers are using an unknown security flaw, also known as a zero-day, in its software as part of a ransomware attack. Most reports suggest that outdated products with known vulnerabilities that ...
2 years ago Thehackernews.com CVE-2021-21974
VMware fixes critical Cloud Director auth bypass unpatched for 2 weeks - VMware has fixed a critical authentication bypass vulnerability in Cloud Director appliance deployments, a bug that was left unpatched for over two weeks since it was disclosed on November 14th. Cloud Director is a VMware platform that enables admins ...
1 year ago Bleepingcomputer.com CVE-2023-34060
VMware ESXi and Workstation Vulnerabilities Let Attackers Execute Malicious Code on Host - Multiple severe vulnerabilities have been addressed affecting VMware ESXi, Workstation, Fusion, and Tools that could allow attackers to execute malicious code on host systems. However, on VMware Workstation and Fusion desktop platforms, successful ...
3 months ago Cybersecuritynews.com
VMWare discloses critical VCD Appliance auth bypass with no patch - VMware disclosed a critical and unpatched authentication bypass vulnerability affecting Cloud Director appliance deployments. Cloud Director enables VMware admins to manage their organizations' cloud services as part of Virtual Data Centers. The auth ...
1 year ago Bleepingcomputer.com CVE-2023-34060
VMware ESXi Vulnerabilities Exploited in Wild to Execute Malicious Code - This critical flaw in VMware’s VMCI (Virtual Machine Communication Interface) allows attackers with local administrative privileges on a virtual machine to execute code on the underlying host. VMware has issued a critical security advisory ...
8 months ago Cybersecuritynews.com Black Basta CVE-2024-37085 Akira
CISA adds Check Point Quantum Security Gateways and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog - CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities catalog. CISA adds Google Chrome zero-days to its Known Exploited Vulnerabilities catalog. CISA adds ...
1 year ago Securityaffairs.com
Latest Information Security and Hacking Incidents - The ransomware strain Qilin has surfaced as a new danger to computers using VMware ESXi, which is a recent development in the cryptocurrency space. Concerned observers have expressed concern over the fact that this Qilin Linux version exhibits a ...
1 year ago Cysecurity.news Qilin
Chinese Espionage Group Has Exploited VMware Flaw Since 2021 - A Chinese espionage group spotted last year by Mandiant researchers abusing a flaw that affected VMware virtualization tools has been exploiting another zero-day vulnerability in VMware's vCenter Server since at least late 2021, according to the ...
1 year ago Securityboulevard.com CVE-2023-34048 CVE-2023-20867
VMware urges admins to remove deprecated, vulnerable auth plug-in - VMware urged admins today to remove a discontinued authentication plugin exposed to authentication relay and session hijack attacks in Windows domain environments via two security vulnerabilities left unpatched. The vulnerable VMware Enhanced ...
1 year ago Bleepingcomputer.com CVE-2024-22245 CVE-2024-22250
CVE-2025-41233 - Description: ...
5 months ago
VMware fixes critical code execution flaw in vCenter Server - VMware issued security updates to fix a critical vCenter Server vulnerability that can be exploited to gain remote code execution attacks on vulnerable servers. vCenter Server is the central management hub for VMware's vSphere suite, and it helps ...
1 year ago Bleepingcomputer.com CVE-2023-34048 CVE-2023-34056
Chinese threat group exploited VMware vulnerability in 2021 - A critical VMware vulnerability that was patched in October was exploited in the wild two years ago by a China-nexus threat actor, according to new research from Mandiant. On Oct. 25, VMware first disclosed an out-of-bounds write vulnerability ...
1 year ago Techtarget.com CVE-2023-34048 CVE-2023-34056 CVE-2023-20867
BlackSuit Ransomware Targets VMware ESXi Servers: A New Threat to Virtualized Environments - BlackSuit ransomware has emerged as a significant threat targeting VMware ESXi servers, which are widely used in enterprise virtualized environments. This ransomware variant specifically exploits vulnerabilities in VMware ESXi to encrypt virtual ...
4 weeks ago Cybersecuritynews.com CVE-2021-21985 BlackSuit
Broadcom warns of authentication bypass in VMware Windows Tools - For instance, in November, Broadcom warned that attackers were exploiting two VMware vCenter Server vulnerabilities: a privilege escalation to root (CVE-2024-38813) and a critical remote code execution flaw (CVE-2024-38812) identified during China's ...
7 months ago Bleepingcomputer.com CVE-2024-38813
Chinese Spies Exploited Critical VMware Bug for Nearly 2 Years - One of the most serious VMware vulnerabilities in recent memory was secretly being exploited by a Chinese advanced persistent threat for years before a patch became available. In a sign of just how severe this particular issue was, VMware went so far ...
1 year ago Darkreading.com CVE-2023-34048 CVE-2023-20867
Ransomware Attack Exploiting an Outdated Vulnerability on Numerous VMware ESXi Servers - Recently, a large-scale ransomware attack has been targeting unpatched and unprotected VMware ESXi servers around the world. The attack, known as ESXiArgs, is exploiting a vulnerability called CVE-2021-21974, which was patched by VMware in February ...
2 years ago Securityweek.com CVE-2021-21974
Russians break into Microsoft as Chinese hit VMware users The Register - A VMware security vulnerability has been exploited by Chinese cyberspies since late 2021, according to Mandiant, in what has been a busy week for nation-state espionage news. On Friday VMware confirmed CVE-2023-34048, a critical out-of-bounds write ...
1 year ago Go.theregister.com CVE-2023-34048 Hunters
VMware warns admins of public exploit for vRealize RCE flaw - VMware warned customers on Monday that proof-of-concept exploit code is now available for an authentication bypass flaw in vRealize Log Insight. "Updated VMSA to note that VMware has confirmed that exploit code for CVE-2023-34051 has been published," ...
1 year ago Bleepingcomputer.com CVE-2023-34051
VMware Tools for Windows Vulnerability Let Attackers Bypass Authentication - According to the security advisory VMSA-2025-0005, the authentication bypass vulnerability stems from improper access control in the VMware Tools for Windows utilities suite. In response to this vulnerability, cybersecurity experts recommend that ...
7 months ago Cybersecuritynews.com CVE-2025-22230
VMware Patches Vulnerabilities Exploited at Pwn2Own 2024 - Broadcom-owned VMware on Tuesday published a security advisory to inform Workstation and Fusion customers that patches are available for vulnerabilities exploited earlier this year at the Pwn2Own hacking competition. It's worth noting that VMware ...
1 year ago Securityweek.com CVE-2024-22267 CVE-2024-22269 CVE-2024-22270
Broadcom fixes three VMware zero-days exploited in attacks - CVE-2025-22225 is an ESXi arbitrary write vulnerability that allows the VMX process to trigger arbitrary kernel writes, leading to a sandbox escape, while CVE-2025-22226 is described as an HGFS information-disclosure flaw that lets threat actors with ...
8 months ago Bleepingcomputer.com CVE-2025-22225

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)