Live Threats
[STRUTS]Apache Struts zero-day (CVE-2026-3101) under mass exploitation — ransomware groups deploying web shells on Java web apps. Patch immediately.|
[LAZARUS]North Korean Lazarus Group targets SMB defense contractors via fake LinkedIn recruiter profiles delivering trojanized job documents.|
[DEEPFAKE]Deepfake CEO video call fraud stole $3.2M in a single transaction. AI voice and face synthesis now indistinguishable — targeting US SMBs.|
[CHROME]CVE-2026-2356 Chrome zero-day actively exploited to deliver spyware. Update to 136.0.7103.92 immediately on all devices.|
[HIPAA]HHS finalized major HIPAA Security Rule updates — mandatory encryption at rest, MFA, and annual pen testing effective December 31, 2026.|
[CISA KEV]CISA added 15 new KEV entries this week — six are priority patches for internet-facing systems including Struts, Chrome, Cisco, Fortinet, Ivanti, and VMware.|
[STRUTS]Apache Struts zero-day (CVE-2026-3101) under mass exploitation — ransomware groups deploying web shells on Java web apps. Patch immediately.|
[LAZARUS]North Korean Lazarus Group targets SMB defense contractors via fake LinkedIn recruiter profiles delivering trojanized job documents.|
[DEEPFAKE]Deepfake CEO video call fraud stole $3.2M in a single transaction. AI voice and face synthesis now indistinguishable — targeting US SMBs.|
[CHROME]CVE-2026-2356 Chrome zero-day actively exploited to deliver spyware. Update to 136.0.7103.92 immediately on all devices.|
[HIPAA]HHS finalized major HIPAA Security Rule updates — mandatory encryption at rest, MFA, and annual pen testing effective December 31, 2026.|
[CISA KEV]CISA added 15 new KEV entries this week — six are priority patches for internet-facing systems including Struts, Chrome, Cisco, Fortinet, Ivanti, and VMware.|
View All
Mass VMware ESXi Exploitation: Ransomware Groups Targeting Hypervisors Directly
Security News/Issue #14 — March 24 – March 30, 2026
BREACHCRITICALCVE-2025-22224CVE-2025-22225CVE-2025-22226

Mass VMware ESXi Exploitation: Ransomware Groups Targeting Hypervisors Directly

Published March 27, 2026
5 min read
Source: VMware Security Advisory / CISA
SHARE:
Affected Systems
VMware ESXi 7.0.xVMware ESXi 8.0.xVMware vCenter Server 7.0.xVMware vCenter Server 8.0.x
Executive Summary

Multiple ransomware groups are actively exploiting unpatched VMware ESXi hypervisors to encrypt virtual machine disk files, causing catastrophic outages. Apply all available patches immediately.

The Mass Exploitation Campaign

Multiple ransomware groups are conducting a coordinated mass exploitation campaign targeting VMware ESXi hypervisors running unpatched versions of ESXi. Unlike traditional ransomware attacks that target individual workstations or servers, these attacks target the hypervisor itself — the software layer that runs all virtual machines. By compromising the hypervisor, attackers can encrypt the virtual machine disk files (VMDK files) of all VMs running on the host simultaneously, causing catastrophic outages affecting every system running on the affected infrastructure. Organizations that run their entire IT infrastructure on VMware ESXi can lose access to all systems at once.

Vulnerabilities Being Exploited

The campaign is primarily exploiting three VMware vulnerabilities: CVE-2025-22224 (a critical heap overflow in VMCI that allows guest-to-host escape), CVE-2025-22225 (an arbitrary write vulnerability in ESXi), and CVE-2025-22226 (an information disclosure vulnerability in HGFS). These vulnerabilities were patched by VMware in early 2025, but many organizations have not applied the patches. Attackers are scanning the internet for exposed ESXi management interfaces and exploiting unpatched systems. The exploitation is largely automated, allowing attackers to compromise hundreds of systems in a short period.

Immediate Actions Required

Apply all available VMware ESXi patches immediately — this is an emergency situation. If you cannot patch immediately, restrict access to the ESXi management interface (port 443 and 902) to trusted IP addresses only and ensure it is not accessible from the internet. Verify that your VM backups are current and stored in an immutable location that cannot be accessed from the ESXi host. Check your ESXi hosts for signs of compromise including unexpected VM snapshots, configuration changes you did not make, or unusual network connections. If you find evidence of compromise, do not attempt to recover on your own — contact a cybersecurity incident response team immediately.

Key Takeaways & Action Items
  • Apply VMware ESXi patches immediately — this is a mass exploitation event
  • Ensure ESXi management interfaces are not accessible from the internet
  • Verify your VM backups are current and stored in an immutable location
  • Check for signs of compromise including unexpected VM snapshots or configuration changes
  • Contact Segler.Net immediately if you run VMware infrastructure and need emergency assistance
Share This
LinkedInX / TwitterEmail

Need Help With This Threat?

Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.

Schedule a Security ReviewCall (210) 496-7313

Stay ahead of the next threat

Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.

Breach alerts
Patch roundups
Compliance news
No spam, ever
Back to Issue #14: March 24 – March 30, 2026
PREVIOUS ARTICLE
Texas Data Privacy and Security Act: What SMBs Need to Know Before June 2026
NEXT ARTICLE
Law Firm Data Breach: Ransomware via Phishing Email Exposes Client Records