Here’s the translation into American English:
Increasing Attacks and Active Exploitation Risks in Virtualization Systems
On March 4, 2025, Broadcom announced the existence of multiple critical vulnerabilities in their VMware ESXi, Workstation, and Fusion products. Some of these vulnerabilities are already being actively exploited by ransomware groups, increasing the risk for companies and organizations using these virtualization environments.
The highlighted vulnerabilities include:
- CVE-2025-22224 (severity 9.3 CVSSv3): Allows an attacker with administrative privileges inside a virtual machine to execute arbitrary code on the host hypervisor, compromising the environment.
- CVE-2025-22225 (severity 8.2 CVSSv3): Enables arbitrary write access to the kernel, allowing for sandbox escape.
- CVE-2025-22226 (severity 7.1 CVSSv3): Facilitates memory leakage from the VMX process in affected systems.
Impact and Risks for Virtualized Infrastructures
The primary risk derived from these vulnerabilities is the possibility of “VM Escape”, a technique in which an attacker inside a virtual machine is able to execute code on the hypervisor. This could allow them to take control of the physical server, endangering all virtual machines hosted on it.
Such attacks are often exploited by ransomware groups, who could encrypt entire servers and demand multimillion-dollar ransoms from affected companies.
Available Updates and Mitigations
Broadcom has published security patches for supported versions of VMware, so it is recommended to update immediately. Additionally, users with unsupported versions should check download portals for available updates. Fixes have been released for VMware ESXi 6.5 and 6.7, though Broadcom suggests migrating to vSphere 8.
Corrected Versions:
| Product | Affected Version | Corrected Version |
|---|---|---|
| ESXi | 8.0 | ESXi80U3d-24585383 |
| ESXi | 8.0 | ESXi80U2d-24585300 |
| ESXi | 7.0 | ESXi70U3s-24585291 |
| ESXi | 6.7 | ESXi670-202503001 |
| Workstation | 17.x | 17.6.3 |
| Fusion | 13.x | 13.6.3 |
In this case, there are no alternative solutions to mitigate the risks, so the only safe option is to update the vulnerable systems.
How to Identify Vulnerable VMware ESXi Servers
To detect if a VMware ESXi system on a network is vulnerable, monitoring tools such as runZero can be used, which allows for advanced searches to identify outdated software versions. The following queries can be used in the Asset Inventory:
To locate at-risk ESXi servers:
os:"vmware esxi" AND (os_version:6 AND os_version:7 AND os_version:8 AND os_version:"8.0.2" AND os_version:"8.0.3" AND os_version:To identify virtual machines running on VMware:
source:vmwareTo locate vulnerable versions of Workstation and Fusion:
vendor:vmware AND ((product:Workstation AND version:Recent History of Vulnerabilities in VMware
These are not the first significant vulnerabilities reported in VMware. Over the past year, multiple flaws have been exploited in virtualization infrastructure:
- CVE-2024-37085 (June 2024): Validation failure in Active Directory groups that allows an attacker with sufficient permissions to gain full access to an ESXi host.
- CVE-2024-22252 to CVE-2024-22255 (March 2024): Vulnerabilities that allow code inside a virtual machine to access the host system without authorization.
- CVE-2021-21974 (February 2023): A flaw in the OpenSLP service of ESXi that was exploited by the ransomware ESXiArgs to encrypt servers.
Conclusion
The constant emergence of critical vulnerabilities in VMware demonstrates the importance of keeping these environments updated. Companies that rely on ESXi should prioritize immediate updates to their infrastructures and continuously monitor their virtual environments for potential attacks.
The risk of exploitation by ransomware groups is high, and the lack of alternative solutions means that patching is the only viable option for protection.