CISA has confirmed that CVE-2025-22225, a VMware ESXi arbitrary write vulnerability, is being actively exploited in ransomware campaigns and has added it to their Known Exploited Vulnerabilities catalog. This vulnerability, along with CVE-2025-22224 (heap overflow) and CVE-2025-22226 (information disclosure), were patched by Broadcom in early March 2025 in VMware ESXi, Workstation, and Fusion. An exploit toolkit leveraging all three vulnerabilities is suspected to be used by attackers, potentially developed by Chinese-speaking actors as early as 2024. While patches are available, CISA's delayed KEV updates regarding ransomware exploitation complicate patch prioritization for private-sector organizations.
Zeljka Zorz , Editor-in-Chief, Help Net Security February 5, 2026 CISA confirms exploitation of VMware ESXi flaw by ransomware attackers CVE-2025-22225, a VMware ESXi arbitrary write vulnerability, is being used in ransomware campaigns, CISA confirmed on Wednesday by updating the vulnerability’s entry in its Known Exploited Vulnerabilities (KEV) catalog. Researchers linked VMware ESXi zero-day trio to single exploit toolkit Broadcom fixed CVE-2025-22225, CVE-2025-22224 (a heap overflow vulnerability) and CVE-2025-22226 (an information disclosure flaw) in VMware ESXi, Workstation, and Fusion in early March 2025. At the time of their disclosure, Broadcom said that they have information to suggest that the three vulnerabilities have been exploited in the wild as zero-days, but details about the attacks were not shared. The three flaws were added to CISA’s KEV catalog on the same day. In January 2026, Huntress researchers observed attackers using an exploit toolkit they believe takes advantage of all three vulnerabilities. “Based on our analysis of the exploit’s behavior, its use of HGFS for information leaking, VMCI for memory corruption, and shellcode that escapes to the kernel, the Huntress Tactical Response team assesses with moderate confidence that this toolkit leverages these three CVEs,” they said at the time. They also reported finding evidence suggesting the toolkit may have been developed by Chinese-speaking exploit developers more than a year before VMware’s public disclosure (i.e., in early 2024). Delayed KEV ransomware flags complicate patch prioritization Despite past public reports that all three vulnerabilities were being leveraged by ransomware actors, the KEV catalog marks only CVE-2025-22225 as “Known To Be Used in Ransomware Campaigns” at present, while the status of CVE-2025-22224 and CVE-2025-22226 remains “Unknown”. While the KEV catalog’s primary purpose is to provide US federal civilian agencies with a list of vulnerabilities they are required to remediate by specific deadlines, it is also widely relied upon by private-sector security teams to prioritize patching and mitigation efforts. Given that these private-sector consumers are far more likely to face ransomware attacks than nation-state cyber-espionage or sabotage campaigns, it is unfortunate for them that CISA often lags in updating the knownRansomwareCampaignUse field on KEV entries. Although GreyNoise’s Glenn Thorpe recently pointed out that “relying on KEV for prioritization is already a trailing indicator, and waiting for the ransomware flag is even slower,” greater visibility into such updates would still be valuable. Until CISA decides whether to provide that transparency, Thorpe has offered a practical workaround: an RSS feed that checks the KEV catalog hourly and alerts subscribers whenever CISA flips the knownRansomwareCampaignUse field to “Known”. Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here! More about Broadcom CISA ESXi exploit GreyNoise patching ransomware VMware vulnerability vulnerability management