CISA Confirms VMware ESXi 0-Day Vulnerability
CVE/vulnerabilityCyber Security NewsVulnerability
1 min.Read
CISA Confirms VMware ESXi 0-Day Vulnerability Exploited in Ransomware Operations
By Divya
February 5, 2026
Share
Facebook
Twitter
Pinterest
WhatsApp
The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical vulnerability affecting VMware ESXi to its Known Exploited Vulnerabilities (KEV) catalog.
Tracked as CVE-2025-22225, this zero-day flaw allows attackers to escape security sandboxes. It is currently being leveraged in active ransomware operations.
Technical Analysis of CVE-2025-22225
The vulnerability is classified as an arbitrary write memory management vulnerability (CWE-123). It specifically affects the VMware ESXi hypervisor, a platform widely used by enterprises to manage virtual machines.
The flaw exists in the VMX process, which runs the virtual machine’s execution environment.
CVE ID CVE-2025-22225
Vendor/Product VMware ESXi
Vulnerability Type Arbitrary Write (Sandbox Escape)
CWE CWE-123 (Write-what-where Condition)
Successful exploitation requires an attacker to have privileges within this VMX process already. Once established, the attacker can trigger an arbitrary kernel write.
This action allows them to escape the virtual machine’s isolation (sandbox escape) and gain unauthorized access to the underlying host system.
By escaping the sandbox, a threat actor moves from a contained environment to the central management layer, potentially gaining control over all virtual machines running on that specific hypervisor.
CISA’s inclusion of this CVE in the KEV catalog confirms that threat actors are actively weaponizing this flaw in ransomware campaigns.
ESXi servers have become high-value targets for ransomware groups because compromising a single hypervisor enables them to encrypt multiple servers and critical workloads, thereby maximizing disruption.
While specific threat actor attribution was not released in the initial advisory, the complexity of the sandbox escape suggests the involvement of sophisticated operators.
In response to the active exploitation, CISA has issued a binding operational directive. Federal Civilian Executive Branch (FCEB) agencies are mandated to identify and patch vulnerable instances of VMware ESXi by March 25, 2025.
Private organizations are strongly urged to prioritize this patch, as ransomware groups frequently accelerate their attacks once a vulnerability is publicly documented.
Administrators should apply vendor mitigations immediately or discontinue the use of the product if a fix is not yet available.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Tags
cyber security
Cyber Security News
Vulnerability
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.
Hot this week
Infosec- Resources
How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities
June 4, 2023
1
What is Deep Web The deep web, invisible web, or...
SOC Architecture
How to Build and Run a Security Operations Center (SOC Guide) – 2023
June 3, 2023
12
Today’s Cyber security operations center (CSOC) should have everything...
Cyber Security News
Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component
October 18, 2023
0
TeamViewer's popularity and remote access capabilities make it an...
Checklist
Web Server Penetration Testing Checklist – 2026
January 6, 2026
0
Web server pentesting is performed under three significant categories: identity,...
Infosec- Resources
ATM Penetration Testing – Advanced Testing Methods to Find The Vulnerabilities
June 4, 2023
4
ATM Penetration testing, Hackers have found different approaches to...
Topics
AcquisitionAdobeAdwareAIAmazonAmazon AWSAMDAndroidAnti VirusAntimalwareANY RUNApacheAPIAppleAPTArtificial IntelligenceAvastAWSAzureBackdoorBitcoinBluetoothBotnetBrowserBuffer over flowBug BountyBusinessChatbotsChatGPTChecklistChromeCiscoCISOCISO AdvisoryCloudCloud SecurityCloudflareComputer SecurityCourseCPUCross site ScriptingcryptocurrencyCryptocurrency hackCVE/vulnerabilityCyber AdvisoryCyber AICyber AttackCyber Crimecyber securityCyber security CourseCyber Security NewsCyber Security ResourcesDark WebData BreachData GovernanceDDOSDealsDeepSeekDiscordDNSDos AttackDriveDropboxEducationEmailEmail SecurityEthical HackingExploitExploitation ToolsExtratorrentsFACEBOOKFeaturedFirefoxFirefox NewsFirewallForensics ToolsgameGenAIGitHubGitLabGmailGoogleGoogle dorksGovernanceGRCHacking BooksHacksHardware HackingHBOHTMLHTTPIBMIISIncident ResponseInformation GatheringInformation Security RisksInfosec- ResourcesInsider ThreatsInstagramIntelMore
cyber security
ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker
0
The Python-based remote access trojan ModeloRAT and a newly...
Android
Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads
0
Android Malware Campaign Uses Fake Document Reader App with...
Cyber Security News
Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning
0
Grafana Labs has confirmed that a recent supply chain...
cyber security
Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software
0
An active phishing campaign that impersonates Microsoft Teams to...
cyber security
Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension
0
A concerted campaign by an initial access broker with...
CVE/vulnerability
PoC Released for Microsoft Exchange Server EWS InstallApp SSRF Vulnerability
0
A proof-of-concept exploit has been released for CVE-2026-45502, a...
CVE/vulnerability
Webmin Stored XSS Vulnerability Lets Attackers Exploit Root Users
0
A newly disclosed stored cross-site scripting (XSS) vulnerability in...
Cyber Security News
Fable 5 AI Model Builds Bootable Windows Kernel in Rust in Just 38 Minutes
0
A newly released AI model, Claude Fable 5, has...
Related Articles
ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker
cyber security June 24, 2026
Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads
Android June 24, 2026
Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning
Cyber Security News June 24, 2026
Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software
cyber security June 24, 2026
Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension
cyber security June 24, 2026
Recent News
ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker
Mayura Kathir - June 24, 2026
Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads
Mayura Kathir - June 24, 2026
Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning
Divya - June 24, 2026
Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software
Mayura Kathir - June 24, 2026
Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension
Mayura Kathir - June 24, 2026
PoC Released for Microsoft Exchange Server EWS InstallApp SSRF Vulnerability
Divya - June 24, 2026