Researchers: ‘Critical’ VMware ESXi Vulnerability Still Impacts 37,000 Servers

The vulnerability — which had been disclosed Tuesday and is known to have been exploited in attacks — initially affected more than 41,000 servers, according to researchers at Shadowserver.

A critical-severity VMware ESXi vulnerability — which had been disclosed Tuesday and is known to have been exploited in attacks — continues to affect about 37,300 servers, according to researchers at Shadowserver.

That’s down from about 41,450 impacted servers as of earlier this week, the organization reported.

The critical vulnerability (tracked at CVE-2025-22224) was one of three VMware ESXi vulnerabilities disclosed Tuesday by Broadcom, which has fixed the flaws in patched software versions.

“These vulnerabilities, which were responsibly reported to Broadcom by the Microsoft Threat Intelligence Center, range in severity from important to critical,” Broadcom said in a statement provided to CRN Thursday. “Exploitation of these vulnerabilities may allow a threat actor to access a hypervisor through a running virtual machine, but requires the actor to first obtain local privileges on the virtual machine.”

In the statement, Broadcom said it “recommends all customers using vulnerable versions of the affected [VMware Cloud Foundation] platform components promptly update to the ‘fixed version’ identified in the security advisory.”

In its advisory about the vulnerabilities Tuesday, Broadcom said it “has information to suggest that exploitation” of the three flaws “has occurred in the wild.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed the exploitation of the three vulnerabilities Tuesday, adding the flaws to its catalog of exploited vulnerabilities.

In addition to the critical-severity vulnerability, the two other vulnerabilities are tracked at CVE-2025-22225 and CVE-2025-22226. The three flaws have been addressed with updates to ESXi, Workstation and Fusion.

For the critical vulnerability, a “malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host,” Broadcom said in the advisory.

In a post Wednesday, researchers at threat tracker Shadowserver said that the critical vulnerability impacted nearly 41,450 VMware ESXi servers. That number has only decreased by about 4,000 since the patches were released, according to the group’s website, which was reported by BleepingComputer Thursday.