CISA, VMware warn of new vulnerabilities being exploited by hackers

Federal civilian agencies have three weeks to resolve three recently reported vulnerabilities affecting products from technology giant VMware after the company confirmed the bugs are being exploited by hackers. 

VMware published an advisory on Tuesday warning customers of CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 — three bugs impacting the company’s popular ESXi, Workstation and Fusion products. 

The company said the vulnerabilities were reported to it by Microsoft Threat Intelligence Center. Of the three, CVE-2025-22224 carries the highest severity score of 9.3 out of 10.

VMware said all customers should apply these updates following confirmation that the company “has information to suggest that exploitation … has occurred in the wild.”

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the three bugs are being exploited by adding them to the Known Exploited Vulnerabilities catalog on Tuesday. Federal civilian agencies have until March 25 to patch them. 

In a corresponding FAQ, VMware said the vulnerabilities would qualify “as an emergency change, requiring prompt action from your organization.” 

“Exploiting this vulnerability does require administrator/root privileges on a guest operating system, so there are other layers of defenses that can help if they are in place,” the company noted. “There are no other meaningful workarounds that do not involve updating and restarting VMware ESX.”

The FAQ includes a lengthy list of specific information based on the kind of VMware tool customers are using. 

Incident responders at cybersecurity firm Rapid7 said the vulnerabilities require existing privileged access and noted that there is no public exploit code for any of the CVEs.

“But, Rapid7 recommends applying vendor-supplied fixes on an expedited basis, since ESXi hypervisors are popular targets for both financially motivated and state-sponsored adversaries,” the company said. 

Patrick Tiquet, a cybersecurity expert at Keeper Security, said the vulnerabilities are serious because they allow attackers to break out of a compromised virtual machine (VM) — essentially software that pretends to be a physical computer — and take control of the underlying host system.

CVE-2025-22224 lets attackers who already have administrative access inside a VM to execute code on the host, potentially giving them control over all the other VMs running on the same server, he explained. 

The danger, he added, is that once attackers gain access at this level, they can spread across the entire system, steal data and install backdoors to maintain access. 

Tiquet and several other experts noted that they have seen both cybercriminals and state-sponsored groups exploit VMware vulnerabilities in the past to establish long-term access to organizations.