A serious vulnerability detected in VMware ESXi, identified as CVE-2025-22224, continues to affect more than 37,000 instances exposed to the internet, leaving them at risk of active exploitation. The vulnerability, which allows attackers to escape from the virtualized environment and execute malicious code on the host, has been classified as critical and is currently being exploited in the wild.
Massive Exposure to Attacks
According to recent data from the threat monitoring platform The Shadowserver Foundation, the number of vulnerable servers has decreased in the past few days, dropping from an initial report of 41,500 instances to 37,000. This indicates that at least 4,500 systems have been patched in response to the security alert.
The vulnerability CVE-2025-22224 is a heap memory overflow fault in VCMI, allowing attackers with administrative privileges on a virtual machine (VM guest) to execute malicious code on the host at the VMX process level, fully compromising the virtualization infrastructure.
Security Warnings and Recommendations
The company Broadcom, owner of VMware, issued a notice on March 4, 2025, warning customers about the active exploitation of this vulnerability along with two other issues, CVE-2025-22225 and CVE-2025-22226. According to Broadcom, all these vulnerabilities were being exploited as “zero-day”, meaning that attacks began before the details were made public and before a security patch was available.
The Microsoft Threat Intelligence Center was the first to detect these vulnerabilities and has been monitoring their exploitation without, so far, revealing details about the attackers or their specific targets.
Given the magnitude of the threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies and state organizations until March 25, 2025 to apply the available patches or discontinue use of the product.
Distribution of Vulnerable Servers
The report from Shadowserver indicates that vulnerable ESXi servers are distributed across various regions worldwide, with the following geographical distribution:
- China: 4,400 servers
- France: 4,100 servers
- United States: 3,800 servers
- Germany: 2,800 servers
- Iran: 2,800 servers
- Brazil: 2,200 servers
As VMware ESXi is one of the most widely used hypervisors in enterprise environments for managing virtual machines, the impact of this vulnerability is of global scope.
No Workarounds Available
Currently, there are no alternative solutions or mitigations for this vulnerability. The only way to protect systems is to apply the security patches provided by Broadcom. For more information on the versions of ESXi that address CVE-2025-22224, Broadcom has published a security bulletin on its website, along with a frequently asked questions page to help system administrators take the necessary measures.
The urgency of the situation underscores the importance of keeping virtualized environments updated, as a vulnerability in VMware ESXi can become a critical entry point for ransomware attacks, data exfiltration, or corporate espionage.