Use one Virtual Machine to own them all — active exploitation of VMware ESX hypervisor escape ESXicape
Yesterday, VMware quietly released patches for three ESXi zero day vulnerabilities: CVE-2025–22224, CVE-2025–22225, CVE-2025–22226.
The advisory:
Support Content Notification – Support Portal – Broadcom support portal
Although the advisory doesn’t explicitly say it, this is a hypervisor escape (aka a VM Escape). A threat actor with access to run code on a virtual machine can chain the three vulnerabilities to elevate access to the ESX hypervisor.
This is backed up by VMware’s official Github, which says:
Yes, this is being actively exploited in the wild.
Once you have ESX access, you can access everything on the ESX server — which includes things such as VM data, and crucially ESX config and mounted storage. Using ESX config and mounted network storage, you can traverse the VMware environment.
My pretty diagram:
For example, orgs use vMotion to allow virtual machines to automatically move across ESX hosts, to balance load and allow for maintenance without downtime (it’s how VMware security patching works). Because of this, a threat actor has direct access to storage of VMs both on and not on that host by design — they’re basically loose on the backend.
Areas of concern
ESXi is a ‘black box’ environment, where you don’t have EDR tools and such — it is locked down. As such, a hypervisor escape means a threat actor is outside of all security tooling and monitoring. They can, for example, access Active Directory Domain Controller databases without triggering any alerts anywhere in the stack, or delete data.
This is frequently seen in ransomware incidents, where people directly exploit the ESX server or vCenter server over the VMware management network using unpatched vulnerabilities. Once they
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: