37,000 VMware ESXi Servers Still Vulnerable to CVE-2025-22224: A Call to Action for Enterprises

As virtualization technology continues to serve as a cornerstone for modern enterprises, it also presents an enticing target for cybercriminals. The recent discovery of multiple zero-day vulnerabilities in VMware products has raised alarms across the cybersecurity landscape. With the Microsoft Threat Intelligence Center initially uncovering these vulnerabilities, Broadcom has confirmed their active exploitation, putting organizations that rely on VMware infrastructure at significant risk.

Understanding the Vulnerabilities

The vulnerabilities in question—CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226—affect widely used VMware solutions, including VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform. These flaws allow attackers with administrator or root privileges on a virtual machine to escape the VM sandbox and gain unauthorized access to the hypervisor, leading to severe security implications.

Key Vulnerabilities

1. CVE-2025-22224 (Critical, CVSS 9.3): This vulnerability is a VCMI heap overflow flaw that enables local attackers with administrative privileges to execute code as the VMX process on the host.

2. CVE-2025-22225 (High, CVSS 8.2): This ESXi arbitrary write vulnerability allows the VMX process to trigger arbitrary kernel writes, resulting in a sandbox escape.

3. CVE-2025-22226 (Medium, CVSS 7.1): This HGFS information disclosure vulnerability permits attackers to leak memory from the VMX process.

Given their critical nature and the potential for real-world exploitation, organizations must act swiftly to secure their environments.

Who Is Affected?

The vulnerabilities impact VMware ESX and any products that involve ESX, such as VMware vSphere, VMware Cloud Foundation, and VMware Telco Cloud Platform. Organizations using unpatched versions of these products are at risk. Notably, VMware vCenter, SDDC Manager, NSX, and Aria Suite are not affected.

It’s crucial to note that Live Patching is not an option, and disabling VMware Tools does not eliminate the risk, as attackers with privileged access can re-enable it. Organizations unsure about their ESX version should assume vulnerability and update immediately. For further information on affected products, versions, and necessary patches, organizations should consult the latest VMware Security Advisory VMSA-2025-0004.

The Current State of Vulnerability

As of March 7, 2025, the Shadowserver Foundation reports that approximately 37,000 internet-exposed VMware ESXi instances remain vulnerable to CVE-2025-22224. Despite ongoing patching efforts, a significant number of systems remain exposed, particularly in countries like China, France, and the United States.

While the identities of potential attackers and their targets remain unclear, the Cybersecurity and Infrastructure Security Agency (CISA) has mandated that federal agencies secure their systems by March 25, 2025, adding CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 to the Known Exploited Vulnerabilities (KEV) Catalog.

Protecting Your Organization

Broadcom has confirmed that there are no viable workarounds for these vulnerabilities, making it imperative for organizations to apply the necessary patches to secure their VMware environments. While additional security layers like privileged access management and host-based defenses can provide some protection, they are not substitutes for patching.

To mitigate risks, organizations should take the following actions:

1. Apply Patches Immediately: Install the latest security patches as outlined in the VMware Security Advisory.

2. Assess the Risk: Conduct an immediate risk assessment to determine exposure.

3. Monitor for Suspicious Activity: Analyze logs and system activity for any indicators of compromise.

4. Strengthen Access Controls: Limit administrative access and enforce strong authentication measures.

5. Implement Network Segmentation: Restrict lateral movement within virtualized environments to minimize risk.

Conclusion

The vulnerabilities affecting VMware products pose a significant threat to enterprises that depend on virtualized infrastructure. With thousands of servers still vulnerable, immediate action is essential. Organizations must prioritize patching and implement robust security measures to safeguard their environments against potential exploitation.

In a landscape where cyber threats are ever-evolving, staying informed and proactive is the best defense against the risks posed by vulnerabilities like CVE-2025-22224. By leveraging tools like SOCRadar’s Vulnerability Intelligence and Attack Surface Management, organizations can gain insights into their security posture and take decisive action to protect their digital assets.

As the cybersecurity landscape continues to evolve, vigilance and preparedness will be key to navigating the challenges ahead.