37,000+ VMware ESXi Instances at Risk Due to Zero-Day Vulnerabilities

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...
VMware ESXi Instances

A large number of VMware ESXi and Workstation and Fusion installations remain vulnerable to three zero-day vulnerabilities that cyber attackers already exploit to damage corporate IT systems.

Three CVEs, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have been weaponized by cyber attackers; thus, Broadcom and CISA issued immediate user warnings.

Organizations need to deploy critical security measures along with running speedy patches on their 37,000 unpatched VMware ESXi setups to prevent permanent damage.

Overview of the VMware Zero-Day Vulnerabilities

On March 4, 2025, Broadcom released three zero-day vulnerabilities affecting VMware ESXi, Workstation, and Fusion that active attackers exploit right now based on Microsoft Threat Intelligence Center reporting.

Also Read: What are Zero-Day Exploits, Attacks & Vulnerabilities? CVE vs 0day: Difference

VMs break free because of these breaches, which allow privileged attackers to gain hypervisor control and access to confidential data.

The high value of these exploits results from the absence of SEDR tools in VMware environments, allowing attackers to penetrate every virtual component within the organization’s infrastructure quietly.

CVE-2025-22224 (Critical) – Time-of-Check Time-of-Use (TOCTOU) Race Condition:  

The TOCTOU Race Condition vulnerability CVE-2025-22224 (Critical) poses the most serious danger to ESXi and Workstation while affecting both products.

The vulnerable component resulting from this race condition conducts an out-of-bounds write while granting terror attackers administrative VMX process control.

OS exploit succeeds; the compromised attack launch breaks free from the guest OS cage to hunt the hypervisor, thereby gaining control of all virtual machines running on a single server.

Attackers gaining control of a single virtual machine would result in a full takeover of a company’s entire virtualized infrastructure.

CVE-2025-22225 (High) – Arbitrary Write Vulnerability:

An arbitrary write vulnerability exists in the VMX process due to this high-severity issue that targets VMware ESXi. The user privileged inside a virtual machine can perform control beyond the sandbox to escalate their access from the guest OS to the host OS.

Hypervisor access gives attackers the opportunity to run malicious codes at extremely deep system levels. Deploying ESXi creates a vulnerability because attackers can spread across shared resources easily between VMs.

CVE-2025-22226 (High):

CVE-2025-22226 rates a high severity because it permits attackers to extract VMX memory leaks, thus exposing confidential system information.

The vulnerability cannot carry out direct code execution, but obtaining critical information for launching a full-scale attack is helpful when it is linked with secondary vulnerabilities.

Hackers with memory leak data can leverage this information to identify hypervisor, cryptographic keys, and credentials stored inside VMware environments.

Experts have warned that researchers specializing in security believe vulnerabilities can be linked to carrying out a hypervisor escape that grants hackers control over entire ESXi hosts after compromising a single VM.

Why Are These Vulnerabilities Dangerous?

Exploited in the Wild Already:

Cybercriminals are currently utilizing the vulnerability, which has intensified the prevailing focus on this issue. CISA added lurking explosives to the Known Exploited Vulnerabilities (KEV) catalog to stop this dangerous threat.

“Black Box” for Security Tools VMware Environments:

The running of security tools inside VMware environments remains impossible due to the ‘black box’ nature of ESXi environments regarding traditional monitoring systems like Endpoint Detection and Response (EDR).

The internal virtualization environment would become utterly void of breach signals because attackers could not create any in that domain.

Large-Scale Exposure:

Map.it attributes 37,322 flags to instances with active vulnerabilities in its documented report.

  • Shadowserver Foundation examined on March 4 a total of 41,450 ESXi instances with security vulnerabilities.
  • March 5 showed a total of 37,322 instances that were vulnerable to attack.
  • More than 50% of the servers located in China, America, and France are part of the total detected system instances.

High Risk of Ransomware:

Cyberattackers focus on targeting VM ESXi because numerous networks are being investigated for exploitation.

  • Such environments would allow attackers complete control while establishing an encryption method for data centers.
  • Hackers remain devoted to discovering ESXi VM escape exploits to ensure that attackers set the price for such vulnerabilities at $150,000.

Also Read: Ransomware Unveiled: Key Insights 2024 and Essential Defense Strategies for 2025

Locking Down Your VMware Environment

Apply the Current Patches from Broadcom Immediately

The affected products receive official updates from Broadcom Entities.

Safeguarding the risks demands that organizations install VMware ESXi, Workstation, and Fusion updates immediately.

How to Patch:

  • Your VMware software should be upgraded using built-in download capabilities.
  • You should open a non-technical support case to get assistance when accessing the Broadcom Support Portal is impossible.
  • Review the patch installation by checking for missing versions using system log records.

Limit Admin Access & Implement Multi-Factor Authentication (MFA)

Organizations must establish three key action points to stop exploitation since it requires administrator privileges.

  • Restrict root/admin privileges on virtual machines
  • Implement MFA on all accounts of privilege

Periodic audits for user permissions should be performed, and all inactive accounts need to be disabled.

Watch for Attempts at Exploitation

VMware environments must always run continuous indicators of compromise scans to detect security breaches.

  • The system should provide a mechanism to log and audit hypervisor operations.
  • Intrusion Detection Systems (IDS) should be implemented to detect potential suspicious activity.

Companies need to investigate any unclear user authentication procedures as well as potential attempts to raise user privileges.

Also Read: What is SiteLock? Role of SiteLock in Website Security

Back up & Segment Virtualized Environments

Virtualized environments need backup because they must be separated into distinct areas.

Organizations must conduct scheduled backups of their virtual machines, which should be stored away from their main system.

  • Suppress VMware environments into distinct sections to halt movements between different virtual machines.
  • The ESXi hosts should not have any additional services enabled since these could potentially create an outside exposure.

Prepare for Ransomware Attacks

Organizations need to take the following protective measures against ransomware attacks that specifically target ESXi environments.

  • Network segmentation serves to divide backup systems from other networks.
  • The VMware management servers need endpoint security applications for installation.

The organization must test its disaster recovery plans to bring system operations back after a security incident immediately.

Conclusion

With over 37,000 instances of VMware ESXi remaining exposed to this vulnerability, organizations must act promptly and obtain the necessary patches for these zero-day vulnerabilities so that intruders cannot take advantage of their virtualized environments.

Patching Broadcom Software, applying strict access mechanisms, setting up an intrusion detection system, and scenario preparation for a ransomware attack are other key steps that can help mitigate these risks.

Given the increasing number of cyber threats targeting enterprise cloud and virtualization infrastructures, organizations need a proactive security posture to protect sensitive information and prevent operational disruptions.

With Sitelock’s cybersecurity services, organizations may automatically track malware, find vulnerabilities, and eradicate threats before substantial destruction occurs.

Integrating real-time monitoring and threat information will give an enhanced guarantee that VMware settings are secure from ever-changing cyber threats.

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.