CISA confirmed that threat actors are exploiting a high-severity VMware ESXi sandbox escape tracked as CVE-2025-22225, which Broadcom patched in March 2025. Organizations are urged to apply vendor mitigations or follow BOD 22-01 guidance after CISA added the flaw to its Known Exploited Vulnerabilities list. #CVE-2025-22225 #VMwareESXi
Keypoints
- CVE-2025-22225 is an ESXi arbitrary-write sandbox escape patched by Broadcom in March 2025.
- Broadcom also fixed related zero-days CVE-2025-22224 (TOCTOU) and CVE-2025-22226 (memory leak).
- CISA added CVE-2025-22225 to its Known Exploited Vulnerabilities catalog and says it is used in ransomware campaigns.
- Huntress reported Chinese-speaking actors have likely chained these ESXi flaws in sophisticated attacks since at least February 2024.
- Organizations should apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue affected VMware products if mitigations are unavailable.