Shadowserver observed that 41,500+ internet-exposed VMware ESXi hypervisors as of March 4, 2025, are vulnerable to CVE-2025-22224, a critical zero-day vulnerability actively exploited in attacks.
Broadcom patched the vulnerability in an emergency update. It enables attackers with local administrative access to a virtual machine (VM) to execute malicious code on the underlying hypervisor, a breach with catastrophic implications for cloud infrastructure and enterprise networks.
Hypervisor Escape via TOCTOU Flaw
CVE-2025-22224 (CVSS 9.3) is a Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMware ESXi and Workstation products. It allows attackers to trigger an out-of-bounds write condition in the VMX process the hypervisor component managing individual VMs.
Exploitation requires prior compromise of a VM’s guest OS, where an attacker with administrative privileges could escalate access to the host system. Once achieved, this grants unfettered control over all VMs on the hypervisor, data stores, and networked assets.
Broadcom confirmed active exploitation of this flaw alongside two additional vulnerabilities (CVE-2025-22225 and CVE-2025-22226), which attackers chain together to bypass security safeguards.
Microsoft Threat Intelligence Center discovered the vulnerabilities and reported them to Broadcom, noting their utility in ransomware and advanced persistent threat (APT) campaigns.
The 41,500 unpatched ESXi instances represent a significant portion of global virtualization infrastructure, particularly in the healthcare, finance, and telecommunications sectors.
VMware ESXi is widely used in enterprise environments for server consolidation and cloud management, making this vulnerability a high-value target.
While ESXi hypervisors should not be directly internet-facing, misconfigurations or outdated network policies often leave management interfaces exposed.
Due to the flaw’s low attack complexity, threat actors can leverage existing VM breaches, such as those induced by phishing, or exploit web applications to gain control of the hypervisor.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-22224 to its Known Exploited Vulnerabilities (KEV) catalog on March 4, mandating federal agencies to patch it by March 25, 2025.
Successful exploitation follows three stages:
- Initial VM Compromise: Attackers gain administrative access to a VM via phishing, credential theft, or application vulnerabilities.
- TOCTOU Exploitation: The attacker abuses race condition errors in ESXi’s memory management to corrupt the VMX process.
- Hypervisor Takeover: Code execution in the VMX context allows disabling security controls, accessing other VMs, or deploying ransomware.
Broadcom’s advisory highlighted that attackers had used this vector to encrypt hypervisor-linked storage systems, crippling disaster recovery mechanisms and amplifying ransomware impact.
This mirrors tactics seen in mid-2024 campaigns exploiting CVE-2024-37085, another ESXi authentication bypass flaw leveraged by ransomware groups.
Mitigations
Broadcom released patches for all affected products, including:
- VMware ESXi 8.0: Update to ESXi80U3d-24585383 or ESXi80U2d-24585300
- VMware ESXi 7.0: Update to ESXi70U3s-24585291
- VMware Cloud Foundation 5.x/4.5.x: Apply async patches detailed in KB389385.
Organizations must immediately isolate ESXi management interfaces from the internet, audit VM administrative access, and monitor for anomalous VMX process activity. Rapid7 and Tenable have integrated detection checks into their vulnerability management platforms to identify exposed systems.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free