CISA KEV Catalog update Part II – March 2025

---

On March 4, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) catalog, including four additional vulnerabilities. These vulnerabilities—affecting key systems such as the Linux Kernel and VMware ESXi, Workstation, and Fusion—have been actively exploited in the wild.

1. CVE-2024-50302 – Linux Kernel Use of Uninitialized Resource Vulnerability

• Description: This vulnerability arises from improper handling of uninitialized resources within the Linux Kernel. It permits privilege escalation, enabling attackers to execute arbitrary code with elevated permissions or cause significant system compromise.
• Attack Mechanics: By leveraging uninitialized variables or structures during specific kernel operations, attackers can manipulate kernel-level processes. This could lead to arbitrary memory access or corruption, ultimately enabling exploitation.
• Impact:
  • Privilege Escalation: Attackers gain root-level privileges.
  • System Compromise: Potential arbitrary code execution at the kernel level.
  • Broad Scope: Exploitable across Linux distributions dependent on the vulnerable kernel versions.
  • Mitigation: System administrators must urgently apply kernel patches provided by their distribution maintainers (Red Hat, Debian, Ubuntu, etc.). Recompile the kernel with the updated source code.

2. CVE-2025-22225 – VMware ESXi Arbitrary Write Vulnerability

• Description: This critical vulnerability affects VMware ESXi and allows an attacker to perform arbitrary writes to system memory. Exploiting this flaw could lead to privilege escalation and complete compromise of the affected ESXi host.
• Attack Mechanics: By manipulating memory regions writable through the hypervisor layer, an attacker can overwrite sensitive memory areas, enabling privilege escalation or arbitrary command execution on the hypervisor.
• Impact:
  • Hypervisor Compromise: Complete control over the ESXi host.
  • Virtual Machines (VMs) Affected: Potential compromise of all guest operating systems hosted on the ESXi server.
  • Mitigation: VMware has issued security patches to resolve this issue. Administrators must update affected ESXi systems to the latest software version immediately.

3. CVE-2025-22224 – VMware ESXi and Workstation TOCTOU Race Condition Vulnerability

• Description: A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in VMware ESXi, Workstation, and Fusion can allow attackers to exploit the synchronization gap between access validation and actual use of a resource. This can lead to privilege escalation or arbitrary code execution.
• Attack Mechanics:
• By exploiting timing discrepancies in resource validation and allocation, attackers gain unauthorized access to sensitive resources or inject malicious code during the process.
• This issue is exacerbated in environments with multiple simultaneous threads or VM workloads.
• Impact:
  • Privilege Escalation: Attackers can manipulate resource access permissions.
  • Command Execution: Execution of attacker-specified commands within the hypervisor or virtualized environments.
  • Mitigation: VMware has released fixes addressing the TOCTOU flaw. Users must patch their ESXi, Workstation, and Fusion platforms promptly.

4. CVE-2025-22226 – VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability

• Description: This vulnerability allows attackers to retrieve sensitive information from VMware ESXi, Workstation, and Fusion systems. The disclosed information can aid attackers in further exploitation.
• Attack Mechanics:
• Exploiting flaws in virtual device emulation to extract memory or configuration data that would otherwise remain private.
• Use of information gathered from one VM to infiltrate others within the same hypervisor environment.
• Impact:
  • Data Exposure: Sensitive host and VM data is at risk.
  • Exploitation Assistance: Knowledge gained could be leveraged to orchestrate privilege escalation or lateral movement.
  • Mitigation: VMware has issued fixes. Administrators are advised to install these patches immediately and restrict management interfaces to trusted networks only.

CISA’s Recommendations and Actions

CISA’s decision to add these vulnerabilities to its KEV catalog underscores their active exploitation and critical nature. Here’s how organizations should respond:

Immediate Actions:

• Prioritize patching all systems affected by these vulnerabilities.
• Verify that kernel updates (for Linux systems) and VMware patches are applied thoroughly.
• Restrict public-facing services, especially for VMware management interfaces.

Best Practices:

• Implement Network Segmentation: Isolate critical systems (e.g., hypervisors and virtual environments) to prevent lateral movement.
• Enable Endpoint Detection and Response (EDR): Ensure real-time monitoring of activities, particularly on Linux servers and virtualized infrastructures.
• Conduct Regular Vulnerability Scans: Utilize tools to identify and remediate any unpatched vulnerabilities.
• Use Threat Intelligence Feeds: Continuously integrate actionable intelligence, such as CISA’s KEV updates, to adapt defenses dynamically.

Long-Term Cybersecurity Enhancements:

• Develop a Vulnerability Management Program: Automate patch deployment cycles and ensure critical updates are installed without delay.
• Enforce Zero Trust Architecture: Continuously validate users, devices, and applications accessing the network.
• Strengthen Backup and Disaster Recovery Plans: Ensure regular backups of critical systems and virtual machines to mitigate the impact of compromise.

Final Thoughts

The inclusion of these four critical vulnerabilities in the CISA KEV catalog highlights their exploitability and the pressing need for action. Organizations running Linux-based servers or VMware virtualization platforms must take immediate steps to secure their environments. By addressing these vulnerabilities quickly and adopting robust cybersecurity practices, organizations can mitigate potential risks and protect critical assets from exploitation.