Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The recently disclosed VMware ESXi vulnerabilities pose a serious security risk, enabling attackers to exploit virtualized environments through VM escape, remote code execution (RCE), privilege escalation, and data leakage. With cybercriminals actively targeting these flaws, organizations must act swiftly to secure their infrastructure.

On March 4, 2025, Broadcom, which acquired VMware in 2023, released security updates to fix three actively exploited vulnerabilities in VMware ESXi, Workstation, and Fusion that could result in code execution and information disclosure. CVE-2025-22224 is a critical TOCTOU (Time-of-Check Time-of-Use) race condition vulnerability that leads to an out-of-bounds write, allowing an attacker with administrative privileges on a virtual machine to execute code as the VMX process on the host.

If you have ever deployed a VMware VM on VMware ESXi, VMware Workstation, VMware Player, or VMware Fusion, you’ve probably noticed that after installing a guest operating system (OS), you are asked to install VMware Tools. In this blog post, we cover what VMWare Tools is and the VMware Tools installation process on different operating systems including Linux, Windows, macOS, FreeBSD, and Solaris.

Ask Our Expert VMware vSphere Kubernetes Service (VKS), formerly known as Tanzu Kubernetes Grid (TKG) Service, has emerged as a popular platform for enterprises deploying containerized workloads, particularly those that rely on vSphere Kubernetes release (VKr), previously referred to as Tanzu Kubernetes release, for their cloud-native infrastructure.

In a recent development, cybersecurity researchers have identified a new Linux variant of the notorious Play ransomware, also known as Balloonfly and PlayCrypt. This variant specifically targets VMware ESXi environments, signaling a strategic expansion by the threat actors behind it. Trend Micro's report published on Friday highlights the potential for a broader victim pool and more effective ransom negotiations as a result of this evolution.

On June 17, 2024, VMware disclosed two critical vulnerabilities (CVE-2024-37079 & CVE-2024-37080) affecting vCenter Server and Cloud Foundation. These vulnerabilities stem from a heap-overflow issue in the implementation of the DCERPC protocol which can be exploited by remote threat actors. By sending specially crafted network packets, threat actors could exploit CVE-2024-37079 and CVE-2024-37080 to achieve Remote Code Execution (RCE) on both vCenter Server and Cloud Foundation systems.

Novel Attack Vector Uses Custom Shell for Payload Delivery and Execution A fresh variant of the Mallox ransomware has emerged, specifically targeting VMware ESXi environments with administrative privileges. This advanced attack method, discovered by researchers at Trend Micro, demonstrates the evolving sophistication of ransomware tactics. Mallox Ransomware: An Overview Mallox, also known as Fargo and Tohnichi, first emerged in June 2021.