Hackers are actively exploiting a vulnerability in VMware ESXi, which many organizations have not yet patched. In the Benelux region alone, more than 1,000 vulnerable servers can currently be detected.
Criminals are actively exploiting vulnerability CVE-2025-22224 in VMware ESXi. This allows an attacker with local privileges to escape from the secure environment of the virtual machine. Subsequently, a hacker can run code on the VM host in the form of a VMX process.
read also
Broadcom Warns VMware Users: Patch Critical Zero-Day Vulnerabilities Immediately
Broadcom has warned customers this week about the leak, which is named ESCicape and further utilizes two other bugs: CVE-2025-22225 and CVE-2025-22226. The bugs in question are zero-day vulnerabilities that are already being actively exploited in the wild. Broadcom has since launched a patch and urges users to install it immediately.
Global Problem
However, not everyone is taking this urgency to heart. Through Shadowserver, we see that there are currently more than 1,000 vulnerable servers in the Benelux region. The majority of these are located in the Netherlands (about 1,000), but Belgium (nearly 100) and to a lesser extent Luxembourg (nine) also have vulnerable systems. In France, 4,270 installations are vulnerable to hacker attacks, and looking at Europe as a whole, the scale of the problem becomes even clearer with 12,600 vulnerable VMware ESXi servers. Globally, we finally reach 41,381 servers.
What Shadowserver can see, hackers can see too. Those relying on VMware ESXi from Broadcom would do well to install the necessary patches immediately. There are no workarounds to temporarily mitigate the problem. Broadcom has published an FAQ with additional information.