VMware ESXi Vulnerability Actively Exploited in 2026 — Patch Guidance for Admins

A serious security concern is dominating virtualization news this month as a critical flaw affecting VMware ESXi servers has begun seeing active exploitation in the wild. System administrators and IT security teams need to act immediately to protect their infrastructure.

What’s Happening?

In early February 2026, CISA officially added CVE-2025-22225 to its Known Exploited Vulnerabilities catalog, confirming active exploitation by ransomware operators Help Net SecurityCyber Press. This vulnerability is part of a sophisticated attack chain that has been targeting VMware infrastructure since at least early 2025, with evidence suggesting development began even earlier.

The Vulnerability Trio

Three critical vulnerabilities are being exploited together to achieve complete virtual machine escape and hypervisor compromise:

CVE-2025-22225 (CVSS 8.2 – Important Severity) An arbitrary write vulnerability allowing attackers to perform memory writes that lead to sandbox escape, enabling code execution on the ESXi host Cyber Press. This is the final stage that allows attackers to break out of the virtual machine and gain control of the underlying hypervisor.

CVE-2025-22224 (CVSS 9.3 – Critical Severity) A Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMCI that leads to an out-of-bounds write, permitting code execution as the VMX process Security Affairs.

CVE-2025-22226 (CVSS 7.1 – Important Severity) An information disclosure vulnerability caused by an out-of-bounds read in the Host-Guest File System that allows memory leakage from the vmx process Huntress.

Affected Products and Versions

The vulnerabilities affect:

• VMware ESXi (versions 6.7, 7.0, and 8.0)
• VMware Workstation
• VMware Fusion
• VMware Cloud Foundation
• VMware Telco Cloud Platform and Infrastructure

Immediate Actions Required

1. Apply Security Patches NOW

Broadcom (VMware’s parent company) released patches in March 2025 through advisory VMSA-2025-0004. All administrators must update to the following versions or later:

• ESXi 8.0: ESXi80U3d-24585383 or ESXi80U2d-24585300
• ESXi 7.0: ESXi70U3s-24585291
• ESXi 6.7: Fixed version available (see Broadcom advisory)

Download patches from: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

2. Federal Mandate Deadline

CISA issued a Binding Operational Directive ordering all Federal Civilian Executive Branch agencies to identify, mitigate, or patch vulnerable VMware ESXi instances by March 25, 2025 Cyber Press. While this deadline has passed, it underscores the urgency for all organizations.

3. Network Isolation

• Isolate unpatched ESXi hosts from the network immediately until remediation is complete
• Implement network segmentation to limit lateral movement
• Review and strengthen VPN security, particularly for SonicWall and similar appliances

4. Monitor for Indicators of Compromise

Watch for:

• Unusual VMX process activity
• Unauthorized configuration changes to ESXi hosts
• VSOCK processes running on ESXi hosts (use lsof -a command)
• Evidence of BYOD loaders like KDU (Kernel Driver Utility)
• Disabled VMCI drivers
• Unsigned or unexpected kernel drivers
• Modified Windows firewall rules blocking external outbound traffic
• Reconnaissance tools like Advanced Port Scanner or ShareFinder

5. Review Access Controls

• Audit administrative access to virtual machines
• Implement least-privilege principles
• Review Domain Admin account usage and security
• Enable multi-factor authentication for all privileged accounts

6. Backup Verification

• Ensure backups are isolated from the production environment
• Verify backup integrity and test restoration procedures
• Consider immutable backup solutions

Long-Term Security Recommendations

1. Hypervisor Hardening: Recognize that VM isolation is not absolute; hypervisor vulnerabilities can allow attackers to break out of guest VMs
2. Defense in Depth: Don’t rely solely on virtualization for security boundaries
3. Continuous Monitoring: Implement comprehensive logging and monitoring for ESXi hosts, not just virtual machines
4. Regular Patching Cadence: Establish a process for rapid deployment of critical hypervisor patches
5. End-of-Life Planning: Note that end-of-life ESXi versions will not receive patches; plan migrations accordingly

Additional Resources

• Broadcom Security Advisory: VMSA-2025-0004 (https://support.broadcom.com)
• CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Huntress Research: Detailed technical analysis of the exploit toolkit
• FAQ Document: https://brcm.tech/vmsa-2025-0004