February 4, 2026 By Sergiu Gatlan
CISA confirmed on Wednesday that ransomware gangs have begun exploiting a high-severity VMware ESXi sandbox escape vulnerability that was previously used in zero-day attacks.
Broadcom patched this ESXi arbitrary-write vulnerability (tracked as CVE-2025-22225) in March 2025 alongside a memory leak (CVE-2025-22226) and a TOCTOU flaw (CVE-2025-22224), and tagged them all as actively exploited zero-days.
"A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox," Broadcom said about the CVE-2025-22225 flaw.
At the time, the company said that the three vulnerabilities affect VMware ESX products, including VMware ESXi, Fusion, Cloud Foundation, vSphere, Workstation, and Telco Cloud Platform, and that attackers with privileged administrator or root access can chain them to escape the virtual machine's sandbox.
According to a report published last month by cybersecurity company Huntress, Chinese-speaking threat actors have likely been chaining these flaws in sophisticated zero-day attacks since at least February 2024.