Over 37,000 VMware ESXi Instances Still Vulnerable to Critical Zero-Day – Patch Now Available

Get it before its too late.

A critical VMware ESXi vulnerability (CVE-2025-22224) remains unpatched in over 37,000 instances, despite active exploitation in the wild. If you were unable to update due to issues with Broadcom’s Support Portal, now is the time to take action.

What’s the Risk?

Broadcom recently disclosed three VMware zero-day vulnerabilities affecting ESXi, Workstation, and Fusion. Of these, CVE-2025-22224 is the most severe, carrying a CVSS score of 9.8. This Time-of-Check Time-of-Use (TOCTOU) flaw enables attackers with local administrator privileges to execute arbitrary code within the virtual machine executable (VMX) process, leading to a potential hypervisor escape.

Security researcher Kevin Beaumont warns that these vulnerabilities pose a significant threat because VMware environments are typically locked down, making detection difficult. Threat actors leveraging this exploit could gain access to critical infrastructure such as Active Directory domain controllers without triggering alerts.

Ok, This is old, why are you telling us now? Why Haven’t Some Organizations Patched Yet?

Many orgs have been unable to patch this vulnerability and VMware estimates that ~40k businesses are still vulnerable, and mass exploitation is occurring online. Since the vulnerabilities were disclosed, Shadowserver’s scanning data has tracked a gradual decline in unpatched ESXi instances. However, many organizations reported being unable to access the patches due to licensing restrictions on Broadcom’s Support Portal. Broadcom has since acknowledged the issue and recommended alternative ways to obtain the patches, including in-product downloads and support ticket requests.

Immediate Action Required

• Apply Patches Now: VMware has released fixes for all affected products. If you previously encountered access issues, try again.
• Restrict Privileged Access: Limit admin privileges within virtual machines to prevent potential exploitation.
• Enhance Monitoring: Watch for unusual activity, such as unauthorized changes to registry keys or scheduled task creation.

With attackers actively exploiting these flaws, delaying updates is not an option. Organizations must take immediate steps to secure their VMware environments and mitigate the risk of hypervisor escapes.