Exploited CVEs / By vendor / VMware
VMware vulnerabilities actively exploited
26 VMware CVEs on the CISA Known Exploited Vulnerabilities catalog, newest first. Refreshed daily.
Every CVE below is confirmed exploited in the wild, not just theoretically severe. The newest addition is CVE-2025-22224 (ESXi and Workstation, added 2025-03-04). 9 of the 26 are used in ransomware campaigns. New CISA KEV entries appear here the day they are cataloged; the freshest across all vendors are on exploited this week.
Ask your own AI about VMware exploited CVEs
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
vCenter Server: 9 exploited CVEs
| CVE | Product | Added to KEV | Signals |
|---|---|---|---|
| CVE-2024-38812 | vCenter Server | 2024-11-20 | CVSS 9.8, EPSS 54% |
| CVE-2024-38813 | vCenter Server | 2024-11-20 | CVSS 9.8, EPSS 17% |
| CVE-2022-22948 | vCenter Server | 2024-07-17 | CVSS 6.5, EPSS 14% |
| CVE-2023-34048 | vCenter Server | 2024-01-22 | CVSS 9.8, EPSS 99% |
| CVE-2021-22017 | vCenter Server | 2022-01-10 | CVSS 5.3, EPSS 48% |
| CVE-2020-3952 | vCenter Server | 2021-11-03 | CVSS 9.8, EPSS 90% |
| CVE-2021-21972 | vCenter Server | 2021-11-03 | ransomware, CVSS 9.8, EPSS 100% |
| CVE-2021-21985 | vCenter Server | 2021-11-03 | ransomware, CVSS 9.8, EPSS 100% |
| CVE-2021-22005 | vCenter Server | 2021-11-03 | ransomware, CVSS 9.8, EPSS 100% |
ESXi: 3 exploited CVEs
| CVE | Product | Added to KEV | Signals |
|---|---|---|---|
| CVE-2025-22225 | ESXi | 2025-03-04 | ransomware, CVSS 8.2, EPSS 1% |
| CVE-2024-37085 | ESXi | 2024-07-30 | ransomware, CVSS 7.2, EPSS 27% |
| CVE-2020-3992 | ESXi | 2021-11-03 | ransomware, CVSS 9.8, EPSS 83% |
Multiple Products: 3 exploited CVEs
| CVE | Product | Added to KEV | Signals |
|---|---|---|---|
| CVE-2022-22960 | Multiple Products | 2022-04-15 | CVSS 7.8, EPSS 37% |
| CVE-2020-3950 | Multiple Products | 2021-11-03 | CVSS 7.8, EPSS 7% |
| CVE-2020-4006 | Multiple Products | 2021-11-03 | CVSS 9.1, EPSS 24% |
Other VMware products
| CVE | Product | Added to KEV | Signals |
|---|---|---|---|
| CVE-2025-22224 | ESXi and Workstation | 2025-03-04 | CVSS 8.2, EPSS 2% |
| CVE-2025-22226 | ESXi, Workstation, and Fusion | 2025-03-04 | CVSS 6.0, EPSS 2% |
| CVE-2023-20867 | Tools | 2023-06-23 | CVSS 3.9, EPSS 14% |
| CVE-2023-20887 | Aria Operations for Networks | 2023-06-22 | CVSS 9.8, EPSS 98% |
| CVE-2022-22947 | Spring Cloud Gateway | 2022-05-16 | CVSS 10.0, EPSS 98% |
| CVE-2022-22954 | Workspace ONE Access and Identity Manager | 2022-04-14 | ransomware, CVSS 9.8, EPSS 100% |
| CVE-2022-22965 | Spring Framework | 2022-04-04 | CVSS 9.8, EPSS 100% |
| CVE-2018-6961 | SD-WAN Edge | 2022-03-25 | CVSS 8.1, EPSS 86% |
| CVE-2021-21973 | vCenter Server and Cloud Foundation | 2022-03-07 | CVSS 5.3, EPSS 88% |
| CVE-2021-21975 | vRealize Operations Manager API | 2022-01-18 | ransomware, CVSS 7.5, EPSS 78% |
| CVE-2019-5544 | VMware ESXi and Horizon DaaS | 2021-11-03 | ransomware, CVSS 9.8, EPSS 97% |
Common questions about exploited VMware CVEs
Which VMware vulnerabilities are actively exploited?
As of July 2026, 26 VMware CVEs are on the CISA Known Exploited Vulnerabilities catalog, meaning exploitation in the wild is confirmed. The most-listed products are vCenter Server (9), ESXi (3), Multiple Products (3). 9 are linked to ransomware campaigns.
What is the newest exploited VMware CVE?
CVE-2025-22224, affecting ESXi and Workstation, added to the CISA KEV catalog on 2025-03-04. This page refreshes daily, so the newest entry is always first in the table.
How urgent are these VMware CVEs?
KEV listing is the strongest fix-first signal there is: it means confirmed exploitation, not a prediction. Patch these ahead of higher-CVSS issues that nobody is exploiting. Check the vendor advisory (linked below) for fixed versions and workarounds.
Can I ask my own AI about exploited VMware CVEs?
Yes. This page includes a free copy-paste AI prompt carrying the newest VMware KEV entries, with CVSS, EPSS, and ransomware context, into Claude, ChatGPT, or Copilot. The data is refreshed daily.
Authoritative references
All vendors, searchable with due dates and CSV export: the exploited-CVE tracker. Every vendor with a page: exploited by vendor.