Ransomware gangs are actively exploiting the VMware ESXi flaw CVE-2025-22225, which allows attackers to escape the VMX sandbox. Researchers found evidence of a toolkit used in these attacks, indicating that the vulnerabilities were known to the threat actors long before their public disclosure. CISA has confirmed the flaw's involvement in ongoing ransomware incidents.

Researchers at Huntress report a 700% increase in ransomware attacks targeting hypervisors, particularly by the Akira group. These attacks exploit vulnerabilities in hypervisor security, allowing criminals to bypass traditional defenses and compromise virtual machines. Admins are urged to enhance security measures, including multi-factor authentication and patching.