Overview
- On February 4, CISA updated its Known Exploited Vulnerabilities catalog to state that CVE-2025-22225 is being leveraged in ransomware campaigns, without naming specific threat actors.
- Broadcom patched CVE-2025-22225 alongside CVE-2025-22224 and CVE-2025-22226 in March 2025, releasing updates for ESXi, Workstation, and Fusion.
- According to Broadcom, a user with VMX process privileges can trigger an arbitrary kernel write that enables escape from the virtual machine sandbox.
- In January, Huntress detailed a VMware ESXi exploit toolkit featuring an orchestrator dubbed MAESTRO and a VSOCK-based backdoor, with evidence of use since at least February 2024 and activity observed in a December 2025 intrusion.
- CISA previously ordered federal agencies to remediate the flaw in March 2025 and now marks only CVE-2025-22225 as known to be used in ransomware, with the status of the related bugs still listed as unknown.