InfoSecBulletin Cybersecurity for mankind
As of March 4, 2025, Shadowserver found that over 41,500 internet-exposed VMware ESXi hypervisors are vulnerable to the actively exploited CVE-2025-22224.
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Critical (CVSS 10) Flaw in Cisco IOS XE WLCs Allows RRA
CVE-2025-29824
Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day
Hacker exploited Samsung MagicINFO 9 Server RCE flaw
CISA adds Langflow flaw to its KEV catalog
Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
UAP hosted “UAP Cyber Siege 2025”, A national level cybersecurity competition
41,500 unpatched ESXi instances represent a major part of global virtualization, especially in healthcare, finance, and telecommunications.
Broadcom released an emergency update to fix a vulnerability that allows attackers with local admin access to a virtual machine (VM) to run malicious code on the hypervisor, posing serious risks to cloud infrastructure and enterprise networks.
Hypervisor Escape via TOCTOU Flaw:
CVE-2025-22224 (CVSS 9.3) is a TOCTOU vulnerability found in VMware ESXi and Workstation. It lets attackers cause an out-of-bounds write in the VMX process, which manages individual VMs.
Exploitation occurs when an attacker gains administrative access to a virtual machine’s guest operating system, allowing them to escalate privileges to the host system. This gives them complete control over all virtual machines on the hypervisor, data stores, and connected networks.
The Microsoft Threat Intelligence Center found vulnerabilities and informed Broadcom, highlighting their use in ransomware and APT campaigns. The U.S. CISA added CVE-2025-22224 to its Known Exploited Vulnerabilities list on March 4, requiring federal agencies to fix it by March 25, 2025.
Mitigations:
Broadcom released patches for all affected products, including:
VMware ESXi 8.0: Update to ESXi80U3d-24585383 or ESXi80U2d-24585300
VMware ESXi 7.0: Update to ESXi70U3s-24585291
VMware Cloud Foundation 5.x/4.5.x: Apply async patches detailed in KB389385.
Organizations should quickly isolate ESXi management interfaces from the internet, review VM administrative access, and monitor unusual VMX activity. Rapid7 and Tenable have added detection checks in their platforms to find exposed systems.
