The Shadowserver Foundation reports that approximately 37,000 internet-exposed VMware ESXi instances remain vulnerable to CVE-2025-22224, a critical out-of-bounds write vulnerability currently being exploited in the wild. This represents a decrease from the 41,500 vulnerable instances reported yesterday, indicating that about 4,500 devices were patched within 24 hours.

CVE-2025-22224 is a critical VCMI heap overflow vulnerability that allows local attackers with administrative privileges on virtual machines to escape isolation and execute code on the host system as the VMX process. Broadcom disclosed this vulnerability on March 4, 2025, alongside two other flaws (CVE-2025-22225 and CVE-2025-22226), confirming that all three were being exploited as zero-days.

The vulnerabilities were discovered by Microsoft Threat Intelligence Center, though details about attack origins and targets remain undisclosed. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has mandated federal and state organizations to apply updates by March 25, 2025, or discontinue using the affected products.

Geographically, the highest concentrations of vulnerable instances are in China (4,400), France (4,100), the United States (3,800), Germany (2,800), Iran (2,800), and Brazil (2,200). The global impact is significant due to VMware ESXi’s widespread use as a hypervisor in enterprise environments.

Broadcom has not provided workarounds for this vulnerability. Users should consult Broadcom’s security bulletin for information on patched ESXi versions and refer to the vendor’s FAQ page for additional recommendations and impact details.