Live Threats
[CVE-2026-1234]Windows CLFS Driver zero-day — privilege escalation to SYSTEM, CISA KEV confirmed, patch immediately|
[CVE-2026-0891]Fortinet FortiOS authentication bypass — unauthenticated admin access, active exploitation in the wild|
[CVE-2026-2201]Palo Alto PAN-OS command injection — remote code execution on firewall management plane, CISA KEV listed|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed including 3 zero-days, deploy immediately|
[BREACH]Healthcare sector breach — 2.3M patient records exposed, PHI including SSNs and medical histories compromised|
[CVE-2026-1887]Chrome V8 type confusion RCE — remote code execution via malicious web page, update Chrome immediately|
[COMPLIANCE]PCI DSS 4.0.1 MFA deadline — mandatory multi-factor authentication enforcement now in effect for all merchants|
[CVE-2026-3310]Cisco IOS XE privilege escalation — authenticated users gain root on affected switches and routers, patch now|
[RANSOMWARE]LockBit 4.0 SMB campaign — RDP brute-force targeting small businesses, double-extortion, 72-hour ransom window|
[ADVISORY]Adobe Acrobat PDF phishing wave — malicious PDFs bypassing email filters, credential harvesting at scale|
[CVE-2026-1234]Windows CLFS Driver zero-day — privilege escalation to SYSTEM, CISA KEV confirmed, patch immediately|
[CVE-2026-0891]Fortinet FortiOS authentication bypass — unauthenticated admin access, active exploitation in the wild|
[CVE-2026-2201]Palo Alto PAN-OS command injection — remote code execution on firewall management plane, CISA KEV listed|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed including 3 zero-days, deploy immediately|
[BREACH]Healthcare sector breach — 2.3M patient records exposed, PHI including SSNs and medical histories compromised|
[CVE-2026-1887]Chrome V8 type confusion RCE — remote code execution via malicious web page, update Chrome immediately|
[COMPLIANCE]PCI DSS 4.0.1 MFA deadline — mandatory multi-factor authentication enforcement now in effect for all merchants|
[CVE-2026-3310]Cisco IOS XE privilege escalation — authenticated users gain root on affected switches and routers, patch now|
[RANSOMWARE]LockBit 4.0 SMB campaign — RDP brute-force targeting small businesses, double-extortion, 72-hour ransom window|
[ADVISORY]Adobe Acrobat PDF phishing wave — malicious PDFs bypassing email filters, credential harvesting at scale|
View All
Mass VMware ESXi Exploitation: Ransomware Groups Targeting Hypervisors Directly
Security News/Issue #14 — March 24 – March 30, 2026
BREACHCRITICALCVE-2025-22224CVE-2025-22225CVE-2025-22226

Mass VMware ESXi Exploitation: Ransomware Groups Targeting Hypervisors Directly

Published March 27, 2026
5 min read
Source: VMware Security Advisory / CISA
SHARE:
Affected Systems
VMware ESXi 7.0.xVMware ESXi 8.0.xVMware vCenter Server 7.0.xVMware vCenter Server 8.0.x
Executive Summary

Multiple ransomware groups are actively exploiting unpatched VMware ESXi hypervisors to encrypt virtual machine disk files, causing catastrophic outages. Apply all available patches immediately.

The Mass Exploitation Campaign

Multiple ransomware groups are conducting a coordinated mass exploitation campaign targeting VMware ESXi hypervisors running unpatched versions of ESXi. Unlike traditional ransomware attacks that target individual workstations or servers, these attacks target the hypervisor itself — the software layer that runs all virtual machines. By compromising the hypervisor, attackers can encrypt the virtual machine disk files (VMDK files) of all VMs running on the host simultaneously, causing catastrophic outages affecting every system running on the affected infrastructure. Organizations that run their entire IT infrastructure on VMware ESXi can lose access to all systems at once.

Vulnerabilities Being Exploited

The campaign is primarily exploiting three VMware vulnerabilities: CVE-2025-22224 (a critical heap overflow in VMCI that allows guest-to-host escape), CVE-2025-22225 (an arbitrary write vulnerability in ESXi), and CVE-2025-22226 (an information disclosure vulnerability in HGFS). These vulnerabilities were patched by VMware in early 2025, but many organizations have not applied the patches. Attackers are scanning the internet for exposed ESXi management interfaces and exploiting unpatched systems. The exploitation is largely automated, allowing attackers to compromise hundreds of systems in a short period.

Immediate Actions Required

Apply all available VMware ESXi patches immediately — this is an emergency situation. If you cannot patch immediately, restrict access to the ESXi management interface (port 443 and 902) to trusted IP addresses only and ensure it is not accessible from the internet. Verify that your VM backups are current and stored in an immutable location that cannot be accessed from the ESXi host. Check your ESXi hosts for signs of compromise including unexpected VM snapshots, configuration changes you did not make, or unusual network connections. If you find evidence of compromise, do not attempt to recover on your own — contact a cybersecurity incident response team immediately.

Key Takeaways & Action Items
  • Apply VMware ESXi patches immediately — this is a mass exploitation event
  • Ensure ESXi management interfaces are not accessible from the internet
  • Verify your VM backups are current and stored in an immutable location
  • Check for signs of compromise including unexpected VM snapshots or configuration changes
  • Contact Segler.Net immediately if you run VMware infrastructure and need emergency assistance
Share This
LinkedInX / TwitterEmail

Need Help With This Threat?

Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.

Schedule a Security ReviewCall (210) 496-7313

Stay ahead of the next threat

Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.

Breach alerts
Patch roundups
Compliance news
No spam, ever
Back to Issue #14: March 24 – March 30, 2026
PREVIOUS ARTICLE
Texas Data Privacy and Security Act: What SMBs Need to Know Before June 2026
NEXT ARTICLE
Law Firm Data Breach: Ransomware via Phishing Email Exposes Client Records
Talk with Us