Broadcom, the U.S. technology giant, has issued a warning to its corporate customers about three critical vulnerabilities in VMware's software hypervisor products, which are being actively exploited by malicious hackers. The vulnerabilities, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, affect VMware ESXi, Workstation, and Fusion, and could allow attackers to escape the protected sandbox and gain unauthorized access to the underlying hypervisor product.

The vulnerabilities, collectively dubbed "ESXicape" by one security researcher, have been exploited in the wild, according to Broadcom. This means that attackers have already begun taking advantage of these flaws to compromise corporate networks. The impact of these vulnerabilities is significant, as an attacker who gains access to the hypervisor can then compromise any other virtual machine, including those owned by other companies within the same physical data center.

Stephen Fewer, principal security researcher at Rapid7, emphasized the severity of the situation, stating, "The impact here is huge, an attacker who has compromised a hypervisor can go on to compromise any of the other virtual machines that share the same hypervisor." This underscores the importance of prompt patching to prevent further exploitation.

Broadcom has not shared details about the nature of the attacks or the threat actors behind them, nor has it disclosed whether any customer data has been accessed. Microsoft, which discovered and reported the vulnerabilities to Broadcom, has also remained silent on the matter.

Security researcher Kevin Beaumont has reported that the three vulnerabilities are being actively exploited by an unnamed ransomware group. This is not surprising, given that VMware vulnerabilities are frequently targeted by ransomware groups due to their ability to be exploited to compromise multiple servers during a single attack. Sensitive corporate data is often stored in these virtualized environments, making them a prime target for attackers.

This is not the first time VMware vulnerabilities have been exploited by ransomware groups. In 2024, Microsoft discovered that multiple ransomware groups were exploiting a VMware hypervisor flaw to deploy Black Basta and LockBit ransomware in data-stealing campaigns targeting corporate data. The previous year, a large-scale hacking campaign, dubbed "ESXIArgs," saw ransomware groups exploit a two-year-old VMware vulnerability to target thousands of organizations worldwide.

Broadcom has released patches for the three vulnerabilities, which are classified as "zero-day" bugs due to the fact they were exploited before a fix was made available. The company has described its security advisory as an "emergency" change and is urging customers to apply the patches as soon as possible.

The U.S. government cybersecurity agency CISA has also taken notice of the vulnerabilities, adding them to its running catalog of vulnerabilities known to be under attack. Federal agencies are being warned to patch against the bugs to prevent potential compromises.

In conclusion, the active exploitation of these VMware vulnerabilities highlights the importance of timely patching and vigilance in the face of emerging threats. As the cybersecurity landscape continues to evolve, it is crucial for organizations to stay informed and proactive in protecting their networks and data.