← Back to The Signal PRACTICAL DEFENSE

One VM in. Every VM gone.

Jun 18, 2026 · 6 min read

A ransomware crew doesn't dream about your laptops. Encrypting endpoints one at a time is slow, loud, and survivable. What they want is the layer underneath all of it — the hypervisor — because everything you run lives there as a guest: production, the databases, the domain controllers, and very often the backups meant to save you. Reach the hypervisor and you don't encrypt a machine. You encrypt the estate, all at once, and everyone watches their screen go dark in the same minute.

That's why ransomware has been climbing the stack toward VMware ESXi. And CISA has now confirmed what defenders feared: an ESXi flaw is being actively used in ransomware campaigns.

The escape: from one guest to the whole host

The vulnerability CISA flags for ransomware use is CVE-2025-22225, an arbitrary-write flaw in ESXi (CVSS 8.2), one of a trio Broadcom disclosed alongside CVE-2025-22224 (CVSS 9.3) and CVE-2025-22226. Researchers at Huntress observed an exploit toolkit chaining all three, and the mechanics are exactly the nightmare scenario: an attacker who has gained privileges inside a guest's VMX process can trigger an arbitrary kernel write and escape the virtual machine sandbox onto the host itself.

Read that as an attacker would. Compromising one ordinary virtual machine is a normal Tuesday — phishing, a web shell, a stolen credential. Most of the time that's a contained problem on one box. The escape is what turns it catastrophic: it converts "I'm on a guest VM" into "I own the hypervisor every other VM runs on." One foothold, promoted to the whole data center.

Ransomware's evolution isn't louder malware. It's higher targets. The crews stopped fighting your endpoints and went after the one box that runs all of them.

The crown jewel with the thinnest visibility

Here's the part that makes ESXi the worst-case target. It is simultaneously the most consolidated system you own and the least watched. You can't install an endpoint agent on the hypervisor — it isn't a place your EDR runs. Its logging is limited, it runs headless, and most security programs treat it as infrastructure plumbing rather than an attack surface. So the highest-blast-radius box on the network is also the one with the dimmest lights.

That combination is why these attacks succeed. The intrusion rides straight through the coverage gap: a guest VM gets compromised (maybe noticed, maybe not), the VMX escape generates almost nothing anyone is watching, and the first unambiguous signal — mass encryption across every VM — arrives only when it's already over. By the time the alert is undeniable, recovery is measured in weeks, assuming the backups weren't virtualized on the same hosts.

The signals were quiet, not absent

An ESXi ransomware run isn't actually silent. It's quiet — which is different. The signals exist; they just don't look like "ransomware" until they're assembled:

Each one, on its own, has an innocent explanation. An admin enabling SSH to troubleshoot. A maintenance task powering down VMs. Pulled apart and routed to whoever happens to own "virtualization," none of them trips an alarm. Held together, in order, they are a ransomware operation staging on your hypervisor — and the window to stop it is the span between the escape and the first encrypted datastore.

Reaching the box you can't put an agent on

The defense for a system you can't install an agent on is to investigate its telemetry anyway — the ESXi logs, the vCenter activity, the guest-side anomalies — as one correlated picture rather than four disconnected feeds. n0limit pulls those signals into a single investigation: the guest-VM compromise, the escape indicators, the out-of-window vCenter session, the sequence of power-offs are enriched and connected and resolved to a verdict in under 500 microseconds, surfaced as one pre-encryption incident with a reasoning trail an operator can audit.

That speed is the entire game here, because the blast radius of an ESXi compromise is total. A verdict in microseconds means containment can fire while the attacker is still escaping a single guest — before the mass power-off, before the first datastore is encrypted, before "one VM" becomes "every VM." You don't get a second alert with the hypervisor. The first one has to count.

Ransomware went up the stack, to the layer with the most blast radius and the least light. A security program that watches every endpoint and leaves the hypervisor in the dark is guarding the doors of a house whose foundation is wide open. The verdict has to reach ESXi too — and reach it at machine speed, while there's still one VM to save.

Related from The Signal

VISION The attacker fixed its own bug in 31 seconds. THREAT RESEARCH Open the email. The attacker is now you. INDUSTRY ANALYSIS 208 CVEs in a day. Patching was never the plan.

See the hypervisor. It's where the whole estate lives.

See n0limit investigate and correlate ESXi, vCenter, and guest signals to a verdict in under 500 microseconds — before one VM becomes every VM.

Book a demo →