CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs Jun 24, 2026

CISA Confirms VMware ESXi 0-Day Vulnerability Exploited in Ransomware Operations - gbhackers.com

gbhackers.com Archived Jun 24, 2026 ✓ Full text saved

CISA Confirms VMware ESXi 0-Day Vulnerability Exploited in Ransomware Operations gbhackers.com

Full text archived locally
✦ AI Summary · Claude Sonnet


    CISA Confirms VMware ESXi 0-Day Vulnerability CVE/vulnerabilityCyber Security NewsVulnerability 1 min.Read CISA Confirms VMware ESXi 0-Day Vulnerability Exploited in Ransomware Operations By Divya February 5, 2026 Share Facebook Twitter Pinterest WhatsApp The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical vulnerability affecting VMware ESXi to its Known Exploited Vulnerabilities (KEV) catalog. Tracked as CVE-2025-22225, this zero-day flaw allows attackers to escape security sandboxes. It is currently being leveraged in active ransomware operations. Technical Analysis of CVE-2025-22225 The vulnerability is classified as an arbitrary write memory management vulnerability (CWE-123). It specifically affects the VMware ESXi hypervisor, a platform widely used by enterprises to manage virtual machines. The flaw exists in the VMX process, which runs the virtual machine’s execution environment. CVE ID CVE-2025-22225 Vendor/Product VMware ESXi Vulnerability Type Arbitrary Write (Sandbox Escape) CWE CWE-123 (Write-what-where Condition) Successful exploitation requires an attacker to have privileges within this VMX process already. Once established, the attacker can trigger an arbitrary kernel write. This action allows them to escape the virtual machine’s isolation (sandbox escape) and gain unauthorized access to the underlying host system. By escaping the sandbox, a threat actor moves from a contained environment to the central management layer, potentially gaining control over all virtual machines running on that specific hypervisor. CISA’s inclusion of this CVE in the KEV catalog confirms that threat actors are actively weaponizing this flaw in ransomware campaigns. ESXi servers have become high-value targets for ransomware groups because compromising a single hypervisor enables them to encrypt multiple servers and critical workloads, thereby maximizing disruption. While specific threat actor attribution was not released in the initial advisory, the complexity of the sandbox escape suggests the involvement of sophisticated operators. In response to the active exploitation, CISA has issued a binding operational directive. Federal Civilian Executive Branch (FCEB) agencies are mandated to identify and patch vulnerable instances of VMware ESXi by March 25, 2025. Private organizations are strongly urged to prioritize this patch, as ransomware groups frequently accelerate their attacks once a vulnerability is publicly documented. Administrators should apply vendor mitigations immediately or discontinue the use of the product if a fix is not yet available. Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google. Tags cyber security Cyber Security News Vulnerability Divya Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world. Hot this week Infosec- Resources How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities June 4, 2023 1 What is Deep Web The deep web, invisible web, or... SOC Architecture How to Build and Run a Security Operations Center (SOC Guide) – 2023 June 3, 2023 12 Today’s Cyber security operations center (CSOC) should have everything... Cyber Security News Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component October 18, 2023 0 TeamViewer's popularity and remote access capabilities make it an... Checklist Web Server Penetration Testing Checklist – 2026 January 6, 2026 0 Web server pentesting is performed under three significant categories: identity,... Infosec- Resources ATM Penetration Testing – Advanced Testing Methods to Find The Vulnerabilities June 4, 2023 4 ATM Penetration testing, Hackers have found different approaches to... Topics AcquisitionAdobeAdwareAIAmazonAmazon AWSAMDAndroidAnti VirusAntimalwareANY RUNApacheAPIAppleAPTArtificial IntelligenceAvastAWSAzureBackdoorBitcoinBluetoothBotnetBrowserBuffer over flowBug BountyBusinessChatbotsChatGPTChecklistChromeCiscoCISOCISO AdvisoryCloudCloud SecurityCloudflareComputer SecurityCourseCPUCross site ScriptingcryptocurrencyCryptocurrency hackCVE/vulnerabilityCyber AdvisoryCyber AICyber AttackCyber Crimecyber securityCyber security CourseCyber Security NewsCyber Security ResourcesDark WebData BreachData GovernanceDDOSDealsDeepSeekDiscordDNSDos AttackDriveDropboxEducationEmailEmail SecurityEthical HackingExploitExploitation ToolsExtratorrentsFACEBOOKFeaturedFirefoxFirefox NewsFirewallForensics ToolsgameGenAIGitHubGitLabGmailGoogleGoogle dorksGovernanceGRCHacking BooksHacksHardware HackingHBOHTMLHTTPIBMIISIncident ResponseInformation GatheringInformation Security RisksInfosec- ResourcesInsider ThreatsInstagramIntelMore cyber security ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker 0 The Python-based remote access trojan ModeloRAT and a newly... Android Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads 0 Android Malware Campaign Uses Fake Document Reader App with... Cyber Security News Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning 0 Grafana Labs has confirmed that a recent supply chain... cyber security Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software 0 An active phishing campaign that impersonates Microsoft Teams to... cyber security Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension 0 A concerted campaign by an initial access broker with... CVE/vulnerability PoC Released for Microsoft Exchange Server EWS InstallApp SSRF Vulnerability 0 A proof-of-concept exploit has been released for CVE-2026-45502, a... CVE/vulnerability Webmin Stored XSS Vulnerability Lets Attackers Exploit Root Users 0 A newly disclosed stored cross-site scripting (XSS) vulnerability in... Cyber Security News Fable 5 AI Model Builds Bootable Windows Kernel in Rust in Just 38 Minutes 0 A newly released AI model, Claude Fable 5, has... Related Articles ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker cyber security June 24, 2026 Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads Android June 24, 2026 Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning Cyber Security News June 24, 2026 Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software cyber security June 24, 2026 Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension cyber security June 24, 2026 Recent News ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker Mayura Kathir - June 24, 2026 Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads Mayura Kathir - June 24, 2026 Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning Divya - June 24, 2026 Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software Mayura Kathir - June 24, 2026 Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension Mayura Kathir - June 24, 2026 PoC Released for Microsoft Exchange Server EWS InstallApp SSRF Vulnerability Divya - June 24, 2026
    💬 Team Notes
    Article Info
    Source
    gbhackers.com
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Jun 24, 2026
    Archived
    Jun 24, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗