CVE-2025-22225

What is VMware ESXi?

VMware ESXi is the enterprise-grade bare-metal hypervisor that powers a large fraction of the world's private cloud and on-premises virtualization infrastructure. Each VM is managed by a vmx process that runs on the host with elevated privileges. Vulnerabilities in components accessible from within a VM that allow writing to host kernel memory represent the highest-severity class of hypervisor vulnerabilities — enabling a complete guest-to-host escape.

Overview

CVE-2025-22225 is an arbitrary write vulnerability (CWE-787) in VMware ESXi that allows an attacker who has already achieved code execution within the vmx process (through a companion vulnerability) to trigger an arbitrary write to the ESXi kernel — enabling full host kernel compromise and VM escape. This is the arbitrary write component of the three-CVE VMSA-2025-0004 guest escape chain. The companion vulnerabilities are CVE-2025-22226 (HGFS OOB read for memory disclosure) and CVE-2025-22224 (SVGA heap overflow for initial vmx process RCE). Both espionage actors and ransomware operators exploited this chain as a zero-day.

Affected Versions

(This specific CVE affects ESXi only; CVE-2025-22224/22226 also affect Workstation and Fusion.)

Technical Details

The arbitrary write vulnerability (CWE-787) exists in a code path accessible from the vmx process (the per-VM management process) that allows writing to arbitrary ESXi kernel memory. The vmx process runs in user space on the ESXi host but interacts closely with the hypervisor kernel. The flaw allows an attacker who controls the vmx process (achieved via CVE-2025-22224) to write attacker-controlled data to arbitrary kernel memory addresses.

Role in the three-CVE guest escape chain:

1. CVE-2025-22226: OOB read in HGFS → memory leak to bypass ASLR
2. CVE-2025-22224: SVGA heap overflow → RCE inside the vmx process (from within a guest VM)
3. CVE-2025-22225 (this CVE): Arbitrary kernel write → corrupt ESXi kernel structures → host kernel code execution

The Changed scope (S:C) and High privileges required (PR:H) reflect that this CVE requires code running in the already-privileged vmx process to trigger the kernel write.

Discovery

Microsoft Threat Intelligence Center (MSTIC). Exploited as a zero-day in targeted attacks before the March 4, 2025 patch.

Exploitation Context

CISA added CVE-2025-22225 to the KEV catalog on March 4, 2025. The ransomwareUse: true flag reflects that ransomware operators (in addition to espionage actors) exploited the VMSA-2025-0004 chain to escape VMs and deploy ransomware across ESXi hosts — a pattern seen in previous ESXi-targeted ransomware campaigns (ESXiArgs, Royal ransomware). A successful ESXi escape from one VM gives the attacker access to the host and all VMs running on it.

Remediation

1. Apply VMSA-2025-0004 patches immediately: ESXi 8.0 U3d or 7.0 U3r. The CISA deadline was March 25, 2025.
2. Patch all three CVEs together — the chain requires all three components to work; but each CVE also represents an independent vulnerability that may be exploitable in other chains.
3. Restrict VMware shared folder (HGFS) usage to minimize CVE-2025-22226 exposure.
4. Isolate ESXi management network — the VMSA-2025-0004 chain requires code execution inside a guest VM; limiting who can interact with VMs reduces exposure.
5. Hunt for indicators of ESXi compromise: unexpected new VMs, modified VM configurations, unusual processes on the ESXi host shell, ransomware notes in VM datastores.