CVE-2025-22224: Why I Patched My VxRail Cluster Immediately and Why You Should Too

Nicholas Siakotos
security vmware vxrail

Introduction

VMware's latest security advisory, VMSA-2025-0004, includes critical vulnerabilities—CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226—that have significant implications for vSphere environments. The most concerning of these, CVE-2025-22224, is a full VM escape vulnerability that allows an attacker to break out of a virtual machine and gain control over the hypervisor. Worse, it's actively being exploited in the wild.

For organizations running VMware-based infrastructure, especially VxRail, this is not a vulnerability to ignore. Broadcom (VMware) has not provided a workaround, meaning the only viable mitigation is to apply patches immediately.

The Risk: A Hypervisor Takeover

Exploitation of CVE-2025-22224 means that a malicious actor with admin-level access to a compromised VM can escalate privileges to take over the ESXi hypervisor itself. This could result in:

  • Control over all VMs in the cluster
  • Compromise of sensitive workloads
  • Potential ransomware attacks
  • Loss of infrastructure integrity

Given the severity, this is not a "wait and see" situation. Organizations that delay patching risk becoming the next target.

VxRail-Specific Considerations

For those running Dell VxRail, the patching process is slightly different. VxRail updates are tied to a validated bundle that undergoes additional testing before release. This creates a delay between VMware releasing a security patch and Dell incorporating it into an official VxRail upgrade package.

However, there is a process to apply security patches independently and later bring your cluster back into compliance once Dell releases an official update. You can:

  1. Manually apply the VMware security patches (which I did on my 12-node VxRail V670F cluster with no issues so far).
  2. Open a support case with Dell when the official VxRail bundle is released to re-align your system with compliance.

Why I Chose to Patch Immediately

As someone responsible for maintaining secure and stable infrastructure, I chose not to wait. The risk of exploitation far outweighs the potential challenges of applying the patches outside of Dell’s official VxRail update cycle.

Every organization should perform its own risk assessment, factoring in:

  • Who has administrative access to your environment?
  • What workloads could be compromised?
  • What reliability or stability risks are you willing to accept?

For me, given the active exploitation in the wild, waiting wasn’t an option.

What Should You Do?

  1. Assess your risk tolerance – If your VMs are publicly accessible or handle sensitive data, patching should be a top priority.
  2. Test the patches in a controlled environment before rolling them out to production.
  3. If you're on VxRail, apply the patches and open a Dell support case once their official bundle is released.
  4. Monitor VMware and Dell advisories closely for updates.

Final Thoughts

This vulnerability is one of the most severe we’ve seen for VMware in recent years. If you’re running vSphere on VxRail, don’t assume you’re safe because you're waiting for an official Dell release—act now. Security is about managing risk, and in this case, the risk is too great to ignore.