CISA Issues Alert on Actively Exploited VMware Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) escalated warnings on March 4, 2025, by adding four severe vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog.

Federal agencies and private organizations are urged to prioritize mitigation efforts, as threat actors are actively weaponizing these flaws in VMware ESXi, Workstation, Fusion, and the Linux kernel.

CVE-2025-22225: VMware ESXi Arbitrary Write Vulnerability

VMware’s ESXi hypervisor (versions 7.0–8.0) contains a memory corruption flaw enabling authenticated attackers with administrative privileges to write arbitrary data to host systems.

This critical vulnerability (CVSS 9.1) facilitates hypervisor escapes, allowing attackers to compromise underlying hardware or adjacent virtual machines.

VMware released patches in ESXi 8.0 P2, but reports indicate at least three advanced persistent threat (APT) groups have integrated this exploit into their attack chains.

CVE-2025-22224: VMware ESXi and Workstation TOCTOU Race Condition Vulnerability

A time-of-check-to-time-of-use (TOCTOU) race condition in VMware ESXi (7.0–8.0) and Workstation (17.0–17.5) permits attackers to manipulate virtual machine operations mid-execution.

Exploiting this flaw could lead to denial-of-service conditions or lateral movement within virtualized environments.

CISA confirms active exploitation in ransomware attacks targeting healthcare and energy sectors. Mitigation requires updating to Workstation 17.5.1 or ESXi 8.0 P1.

CVE-2025-22226: VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability

This medium-severity flaw (CVSS 6.5) in VMware’s virtualization suite allows unauthorized actors to access sensitive host system data, including credentials and configuration files.

While less severe than other CVEs, attackers are leveraging it to gather intelligence for multi-stage attacks. VMware has issued patches for ESXi (8.0 P2), Workstation (17.5.1), and Fusion (13.5.1).

Under Binding Operational Directive (BOD) 22-01, federal agencies must remediate these vulnerabilities by March 18, 2025.

Private enterprises, though not legally bound, face heightened risks: VMware products underpin over 70% of global enterprise virtual infrastructure.

CISA’s executive assistant director, Matt Hartman, emphasized, “These exploits are not theoretical—they’re actively enabling destructive attacks. Patching isn’t optional; it’s a survival requirement in today’s threat landscape.”

As virtualization technologies become ubiquitous, this advisory underscores the critical need for organizations to adopt automated patch management systems and segment virtual networks to contain breaches.

With VMware vulnerabilities accounting for 34% of all KEV entries in 2025, the stakes for cybersecurity teams have never been higher.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free