{"id":37301,"date":"2025-03-08T10:37:53","date_gmt":"2025-03-08T09:37:53","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=37301"},"modified":"2025-03-08T10:37:53","modified_gmt":"2025-03-08T09:37:53","slug":"over-37000-vmware-esxi-servers-vulnerable-via-cve-2025-22224","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2025\/03\/08\/over-37000-vmware-esxi-servers-vulnerable-via-cve-2025-22224\/","title":{"rendered":"Over 37,000 VMware ESXi servers vulnerable via CVE-2025-22224"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" title=\"Sicherheit (Pexels, allgemeine Nutzung)\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Sicherheit_klein.jpg\" alt=\"Sicherheit (Pexels, allgemeine Nutzung)\" width=\"200\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2025\/03\/08\/ueber-37-000-vmware-esxi-server-ueber-cve-2025-22224-angreifbar\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]This week, VMware by Broadcom has released security updates for various products, including VMware ESXi servers, to close security gaps. One vulnerability has already been exploited as a 0-day. Now The Shadowserver Foundation warns that over 37,000 VMware ESXi servers are vulnerable via CVE-2025-22224. Germany is also represented with several thousand installations.<\/p>\n<p><!--more--><\/p>\n<h2>VMware security advisory and updates<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg02.met.vgwort.de\/na\/f4bfba585cbd4054965fc25052c52197\" alt=\"\" width=\"1\" height=\"1\" \/>VMware by Broadcom published a security advisory on March 4, 2025 to warn of three zero-day vulnerabilities CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226). One of these vulnerabilities may have already been exploited in the wild and patching is strongly advised.<\/p>\n<p>According to the advisory <a href=\"https:\/\/support.broadcom.com\/web\/ecx\/support-content-notification\/-\/external\/content\/SecurityAdvisories\/0\/25390\" target=\"_blank\" rel=\"noopener\">VMSA-2025-0004<\/a>, the vulnerabilities affect VMware ESXi, Workstation and Fusion. The vulnerability <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-22224\" target=\"_blank\" rel=\"noopener\">CVE-2025-22224<\/a> in VMware ESXi (and Workstation) is a Time-of-Check Time-of-Use (TOCTOU) bug that leads to an out-of-bounds write. VMware has rated the severity of this issue as critical, with a maximum CVSSv3 base score of 9.3. I reported on the issue in the blog post<a href=\"https:\/\/borncity.com\/win\/2025\/03\/05\/0-day-vulnerabilities-in-vmware-esxi-workstation-and-fusion\/\">0-day vulnerabilities in VMWare ESXi, Workstation and Fusion<\/a>.<\/p>\n<h2>37,000 ESXi servers vulnerable via CVE-2025-22224<\/h2>\n<p>Now The Shadowserver Foundation warns that over 37,000 VMware ESXi servers are vulnerable to CVE-2025-22224. I became aware of this via the following <a href=\"https:\/\/x.com\/Shadowserver\/status\/1897375815605870833\" target=\"_blank\" rel=\"noopener\">post<\/a>.<\/p>\n<p><a href=\"https:\/\/dashboard.shadowserver.org\/statistics\/combined\/tree\/?day=2025-03-04&amp;source=http_vulnerable&amp;source=http_vulnerable6&amp;tag=cve-2025-22224%2B&amp;geo=all&amp;data_set=count&amp;scale=log\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i.postimg.cc\/ry5pP97b\/image.png\" alt=\"VMware ESXi CVE-2025-22224 vulnerable instances\" width=\"590\" height=\"574\" \/><\/a><\/p>\n<p>According to The Shadowserver Foundation's <a href=\"https:\/\/dashboard.shadowserver.org\/statistics\/combined\/tree\/?day=2025-03-04&amp;source=http_vulnerable&amp;source=http_vulnerable6&amp;tag=cve-2025-22224%2B&amp;geo=all&amp;data_set=count&amp;scale=log\" target=\"_blank\" rel=\"noopener\">website<\/a>, a search for the USA found around 3,800 unpatched VMware ESXi servers as of March 4, 2025.<\/p>\n<p><a href=\"https:\/\/dashboard.shadowserver.org\/statistics\/combined\/time-series\/?date_range=7&amp;source=http_vulnerable&amp;source=http_vulnerable6&amp;tag=cve-2025-22224%2B&amp;geo=Europe&amp;dataset=unique_ips&amp;group_by=geo&amp;style=stacked\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i.postimg.cc\/PJ1zL83x\/image.png\" alt=\"VMware ESXi server patch history\" width=\"640\" height=\"513\" \/><\/a><\/p>\n<p>I took a look at the following days &#8211; the number drops and then rises again until March 7, 2025. The curve of the patch status over time shown in the screenshot above for Europe also shows this dip.<\/p>\n<p>This is something that cannot really be explained logically. How can the number of vulnerable servers decrease briefly, only to increase again a day later? One explanation that comes to mind would be that the administrators took their VMware ESXi servers offline for a day after the warning from Broadcom.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]This week, VMware by Broadcom has released security updates for various products, including VMware ESXi servers, to close security gaps. One vulnerability has already been exploited as a 0-day. Now The Shadowserver Foundation warns that over 37,000 VMware ESXi servers &hellip; <a href=\"https:\/\/borncity.com\/win\/2025\/03\/08\/over-37000-vmware-esxi-servers-vulnerable-via-cve-2025-22224\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547,22,1218],"tags":[2021,69,195,1710],"class_list":["post-37301","post","type-post","status-publish","format-standard","hentry","category-security","category-software","category-update","category-virtualization","tag-esxi","tag-security","tag-update","tag-vmware"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37301","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=37301"}],"version-history":[{"count":1,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37301\/revisions"}],"predecessor-version":[{"id":37302,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37301\/revisions\/37302"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=37301"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=37301"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=37301"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}