Over 37,000 VMware ESXi servers vulnerable to ongoing attacks

March 6, 2025

VMware

Over 37,000 internet-exposed VMware ESXi instances are vulnerable to CVE-2025-22224, a critical out-of-bounds write flaw that is actively exploited in the wild.

This massive exposure is being reported by threat monitoring platform The Shadowserver Foundation, which reported a figure of around 41,500 yesterday.

Today, ShadowServer now reports that 37,000 are still vulnerable, indicating that 4,500 devices were patched yesterday.

CVE-2025-22224 is a critical-severity VCMI heap overflow vulnerability that enables local attackers with administrative privileges on the VM guest to escape the sandbox and execute code on the host as the VMX process.

Broadcom warned customers about it along with two other flaws, CVE-2025-22225 and CVE-2025-22226, on Tuesday, March 4, 2025, informing that all three were being exploited in attacks as zero-days.

The flaws were discovered by Microsoft Threat Intelligence Center, which observed their exploitation as zero days for an undisclosed period. Also, no information about the origin of the attacks and the targets has been shared yet.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has given federal agencies and state organizations until March 25, 2025, to apply the available updates and mitigations or stop using the product.

The Shadowserver Foundation reports that most of the vulnerable instances are in China (4,400), followed by France (4,100), the United States (3,800), Germany (2,800), Iran (2,800), and Brazil (2,200).

However, due to the widespread use of VMware ESXi, a popular hypervisor used for virtualization in enterprise IT environments for virtual machine management, the impact is global.

For more information on the ESXi versions that fix CVE-2025-22224, users are recommended to check Broadcom’s bulletin. Currently, there are no workarounds for this problem.

The vendor has also published a FAQ page for users to share additional action recommendations and impact details.