CISA has confirmed that ransomware groups are actively exploiting the VMware ESXi vulnerability CVE-2025-22225, which allows attackers with certain privileges to escape the VMX sandbox. This flaw is categorized as an arbitrary write issue, posing significant risks to systems using VMware ESXi. VMware previously acknowledged the exploitation of this flaw in the wild, along with two other zero-day vulnerabilities, in its March 2025 advisory (VMSA-2025-0004). The other vulnerabilities include CVE-2025-22226, an out-of-bounds read, and CVE-2025-22224, a TOCTOU vulnerability. Research from Huntress revealed that Chinese-speaking attackers have used a compromised SonicWall VPN to distribute a toolkit targeting VMware ESXi. Analysis indicates this exploit chain, which includes advanced techniques for VM escape, may have been in development for over a year before VMware disclosed the related vulnerabilities. The attackers employed Domain Admin credentials to move laterally within networks, modify firewall rules, and prepare for data exfiltration. Their toolkit, capable of targeting up to 155 ESXi builds, exploits disabled VMCI drivers and unsigned kernel drivers, facilitating ransomware deployment. The attackers utilize an orchestrator named MAESTRO to manage the exploitation process. This tool disables VMCI drivers, loads unsigned exploit drivers, and executes several techniques to bypass security measures. The exploit chain can leak VMX memory and abuse other vulnerabilities, ultimately allowing the attackers to escape to the ESXi kernel. Huntress researchers believe the exploit binaries reveal development paths that suggest the exploit has been in use since at least February 2024. CISA has updated the KEV catalog to reflect the active exploitation of CVE-2025-22225 in ransomware attacks, highlighting the ongoing threat in the cybersecurity landscape.