The dangerous attack campaign is aimed at VMware server to regain control and execute the codes from a distance
Overview
According to the latest report in March 2025 by Sygnia, a cybersecurity company, a critical security vulnerability has been discovered in VMware vCenter Server, allowing hackers to execute remote code via a web shell and deploy ransomware. This vulnerability arises from a lack of input validation in configuration files, leading to the execution of malicious code. Hackers can exploit this vulnerability to access and control the system, then deploy ransomware, encrypt data, and demand a ransom.
The chain of three vulnerabilities, published as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, affects most versions of VMware. These vulnerabilities were exploited in the wild before being disclosed and have been added to CISA's list of known exploited vulnerabilities.
Affected Versions
VMware ESXi:
CVE-2025-22224 and CVE-2025-22225 affect ESXi versions 6.7, 7.0, and 8.0.
CVE-2025-22226 affects ESXi versions 7.0 and 8.0.
VMware Workstation:
- CVE-2025-22224 and CVE-2025-22226 affect VMware Workstation version 17.x.
VMware Fusion:
- CVE-2025-22226 affects VMware Fusion version 13.x.
Vulnerability Description
CVE-2025-22224
Vulnerability ID: CVE-2025-22224
Severity: Critical
CVSS Score: 9.3
Description: This vulnerability involves a TOCTOU (Time-of-Check Time-of-Use) race condition, leading to out-of-bounds memory write.
CVE-2025-22225
Vulnerability ID: CVE-2025-22225
Severity: Critical
CVSS Score: 8.2
Description: This vulnerability allows an attacker with privileges in the VMX process to perform arbitrary writes to the kernel, leading to the potential for sandbox escape.
CVE-2025-22226
Vulnerability ID: CVE-2025-22226
Severity: High
CVSS Score: 7.1
Description: This vulnerability arises from an out-of-bounds read in the HGFS (Host Guest File System) component, allowing an attacker with administrative rights on the virtual machine to exploit it to leak memory from the VMX process.
Details of the Attack Campaign
The "Web Shell to Ransomware" attack vector on the VMware platform is a dangerous exploitation method used by hackers to deploy ransomware on virtualized systems. This is a sophisticated approach that takes advantage of security vulnerabilities in VMware servers to execute malicious code. In this campaign, the attacker will exploit through four main steps.
Step 1: System Infiltration via Web Shell
Hackers will exploit security vulnerabilities by scanning the network of the targeted company or organization, or by using stolen credentials to install a web shell on the VMware ESXi or vCenter server.
After exploiting and scanning the victim's system, attackers will use several common methods to install the web shell:
Exploiting RCE (Remote Code Execution) vulnerabilities: Hackers exploit unpatched vulnerabilities on VMware vCenter Server or ESXi.
Brute force or credential theft: If the system does not use strong authentication, hackers can guess or collect login information from data breaches.
Step 2: Gain Control of the VMware Server
After initially infiltrating the VMware server system, the attacker will exploit a chain of three vulnerabilities: CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226.
First, the Escaping the Virtual Machine technique will be executed. This is a cyber attack technique where the attacker exploits a vulnerability to escape from the virtual machine (VM) environment and take control of the physical host system. To perform this technique, the CVE-2025-22224 vulnerability will be actively exploited.
To execute this, the attacker needs local administrative rights on the virtual machine to exploit this vulnerability. This vulnerability is a TOCTOU (Time-of-Check Time-of-Use) type, which occurs when there is a time gap between checking the status and using the resource, leading to an out-of-bounds write error.
By exploiting the out-of-bounds write error, the attacker can execute malicious code with the privileges of the VMX process on the physical host, leading to escaping the virtual machine environment and taking control of the host system.
Then the vulnerability CVE-2025-22225 will also be executed.
This vulnerability allows the attacker to perform arbitrary writes to the kernel through the VMX process. By exploiting this weakness, the attacker can write malicious data to critical memory locations in the kernel, altering the system's behavior as desired.
With the ability to write arbitrarily to the kernel, the attacker can carry out actions to escape the sandbox environment, thereby gaining control of the physical server system, posing serious threats to the security of the entire system.
Finally, in the attack chain, the vulnerability CVE-2025-22226 will be executed. This vulnerability arises from an out-of-bounds read in the HGFS file system, leading to the leakage of sensitive information from the VMX process.
HGFS (Host-Guest File System) is a file system shared between the host and the virtual machine. This vulnerability allows an attacker to perform out-of-bounds read operations, leading to unintended data access.
By exploiting this flaw, the attacker can access and read sensitive memory areas in the VMX process, posing a risk of leaking important system information.
Step 3: Deploy Ransomware on Virtual Machines
After gaining privilege escalation to VMware ESXi, the attackers will begin deploying ransomware on a large scale.
With control over the hypervisor, the attacker can deploy ransomware on all virtual machines managed by ESXi, leading to large-scale data encryption and causing significant disruption to the organization's operations.
Detailed Impact
The "From Web Shell to Ransomware" attack method exploits vulnerabilities in VMware ESXi, particularly CVE-2024-37085, causing serious impacts on organizations and businesses.
Encryption and Operational Disruption:
- Attackers use the vulnerability to deploy ransomware, encrypt virtual machines, and cause significant business operation disruptions.
Data Leakage and Loss:
- Besides encryption, attackers can access and steal sensitive data from virtual machines, leading to the loss of important information and privacy violations.
Increased Recovery Costs and Time:
- Organizations face high costs and long recovery times after these attacks, affecting their reputation and business operations.
Recommendations
Update and Patch Immediately
- VMware has released patches to fix these vulnerabilities. Users need to update ESXi, Workstation, and Fusion to the latest versions.
Restrict Access and Protect Servers
Disable SSH if not needed: Reduce the risk of remote exploitation.
Use a Firewall to limit access to the ESXi server to only trusted IPs.
Disable ESXi Shell & SSH services if not in use.
Do not grant root or higher administrative privileges than necessary to users.
Limit Web Shell Attacks
Update web server software (Apache, Nginx, IIS, etc.) to prevent attacks.
Block the upload of suspicious files that may contain malware.
Use a WAF (Web Application Firewall) to filter malicious traffic.
Disable Unnecessary Features
If HGFS (Host-Guest File Sharing) is not needed, disable it to minimize the risk of CVE-2025-22226 exploitation.
Check security settings on virtual machines and disable unnecessary services.
Conclusion
"Web Shell to Ransomware" is one of the biggest threats to VMware ESXi systems because it not only exploits security vulnerabilities to gain control of the system but can also encrypt entire virtual machines, causing serious business disruptions. Updating software, monitoring systems, and backing up data are three crucial factors in protecting systems from these attacks. Protecting systems from ransomware threats not only helps avoid financial losses but also maintains the stability and reputation of the organization.
