Attacks on VMware ESXi: Tens of thousands of servers still vulnerable

Admins of VMware ESXi servers should urgently ensure that they have installed an up-to-date version that is protected against current attacks. Attackers are using a"critical" vulnerability to compromise systems with malicious code.

Vulnerable servers also in Germany

The vulnerability (CVE-2025-22224) and its exploitation have been known for several days. Security patches have also been available since then. However, as security researchers from Shadowserver have now shown in scans, many admins around the world have apparently not yet reacted and the updates have yet to be installed. At the time of writing, more than 41,000 instances worldwide are still vulnerable. Almost 2800 of these are servers in Germany.

If attackers have admin rights in a virtual machine, they can break out of the VM to execute malicious code in the VMX process of the host system. There is currently no information on who is behind the attacks and which targets are affected.

Patch now!

In a warning message, the developers from Broadcom state that the ESXi versions ESXi70U3s-24585291, ESXi80U2d-24585300 and ESXi80U3d-24585383 are equipped against the attacks. Two further gaps have also been closed (CVE-2025-22225"high", CVE-2025-222226"high").

Cloud Foundation, Fusion, Telco Cloud Infrastructure, Telco Cloud Platform and Workstation are also affected by the critical vulnerability. Information on the security patches for these applications is listed in the warning message.

Admins can find further information on the current attacksin an FAQ.

(des)