VMware ESXi Vulnerability Actively Exploited in 2026

A serious security concern is dominating virtualization news this month as a critical flaw affecting VMware ESXi servers has begun seeing active exploitation in the wild. System administrators and IT security teams need to act immediately to protect their infrastructure.

What’s Happening?

In early February 2026, CISA officially added CVE-2025-22225 to its Known Exploited Vulnerabilities catalog, confirming active exploitation by ransomware operators Help Net Security Cyber Press. This vulnerability is part of a sophisticated attack chain that has been targeting VMware infrastructure since at least early 2025, with evidence suggesting development began even earlier.

The Vulnerability Trio

Three critical vulnerabilities are being exploited together to achieve complete virtual machine escape and hypervisor compromise:

CVE-2025-22225 (CVSS 8.2 – Important Severity) An arbitrary write vulnerability allowing attackers to perform memory writes that lead to sandbox escape, enabling code execution on the ESXi host Cyber Press. This is the final stage that allows attackers to break out of the virtual machine and gain control of the underlying hypervisor.

CVE-2025-22224 (CVSS 9.3 – Critical Severity) A Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMCI that leads to an out-of-bounds write, permitting code execution as the VMX process Security Affairs.

CVE-2025-22226 (CVSS 7.1 – Important Severity) An information disclosure vulnerability caused by an out-of-bounds read in the Host-Guest File System that allows memory leakage from the vmx process Huntress.

Affected Products and Versions

The vulnerabilities affect:

VMware ESXi (versions 6.7, 7.0, and 8.0)
VMware Workstation
VMware Fusion
VMware Cloud Foundation
VMware Telco Cloud Platform and Infrastructure

Immediate Actions Required

1. Apply Security Patches NOW

Broadcom (VMware’s parent company) released patches in March 2025 through advisory VMSA-2025-0004. All administrators must update to the following versions or later:

ESXi 8.0: ESXi80U3d-24585383 or ESXi80U2d-24585300
ESXi 7.0: ESXi70U3s-24585291
ESXi 6.7: Fixed version available (see Broadcom advisory)

Download patches from: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

2. Federal Mandate Deadline

CISA issued a Binding Operational Directive ordering all Federal Civilian Executive Branch agencies to identify, mitigate, or patch vulnerable VMware ESXi instances by March 25, 2025 Cyber Press. While this deadline has passed, it underscores the urgency for all organizations.

3. Network Isolation

Isolate unpatched ESXi hosts from the network immediately until remediation is complete
Implement network segmentation to limit lateral movement
Review and strengthen VPN security, particularly for SonicWall and similar appliances

4. Monitor for Indicators of Compromise

Watch for:

Unusual VMX process activity
Unauthorized configuration changes to ESXi hosts
VSOCK processes running on ESXi hosts (use lsof -a command)
Evidence of BYOD loaders like KDU (Kernel Driver Utility)
Disabled VMCI drivers
Unsigned or unexpected kernel drivers
Modified Windows firewall rules blocking external outbound traffic
Reconnaissance tools like Advanced Port Scanner or ShareFinder

5. Review Access Controls

Audit administrative access to virtual machines
Implement least-privilege principles
Review Domain Admin account usage and security
Enable multi-factor authentication for all privileged accounts

6. Backup Verification

Ensure backups are isolated from the production environment
Verify backup integrity and test restoration procedures
Consider immutable backup solutions

Long-Term Security Recommendations

Hypervisor Hardening: Recognize that VM isolation is not absolute; hypervisor vulnerabilities can allow attackers to break out of guest VMs
Defense in Depth: Don’t rely solely on virtualization for security boundaries
Continuous Monitoring: Implement comprehensive logging and monitoring for ESXi hosts, not just virtual machines
Regular Patching Cadence: Establish a process for rapid deployment of critical hypervisor patches
End-of-Life Planning: Note that end-of-life ESXi versions will not receive patches; plan migrations accordingly