More than 17,000 VMware ESXi installations worldwide are at risk from a severe integer-overflow vulnerability tracked as CVE-2025-41236 (CVSS 9.3), cybersecurity researchers warn.
This critical vulnerability, first flagged in July, has prompted urgent calls for patching, but the latest scan results suggest progress remains slow, with thousands of systems still unpatched.
Shadowserver Foundation, in partnership with the UK Government, incorporated targeted detection for CVE-2025-41236 into its daily global scan on July 19, 2025.
The inaugural scan identified a staggering 17,238 unique IPs running vulnerable versions of ESXi, a popular virtualization platform used in enterprise environments.
By August 10, the number of unpatched servers had only marginally decreased to 16,330, underscoring an alarmingly slow pace of remediation despite open warnings and the critical nature of this threat.
VMware ESXi Vulnerability – CVE-2025-41236
The geographical distribution of exposed systems highlights the scale of the challenge. France, China, the United States, and Germany top the list of most affected countries, each hosting hundreds or thousands of vulnerable ESXi instances.
Exposed Servers
Other regions with significant exposure include Russia, the Netherlands, and Brazil. The situation presents heightened risk for businesses, governments, and cloud service providers relying on ESXi for virtualization.
Attackers able to exploit this vulnerability could gain control over core infrastructure, potentially disrupting critical systems at scale.
CVE-2025-41236 is an integer-overflow bug in VMware ESXi’s HTTP management interface. Rated 9.3 out of 10 on the CVSS scale, it permits unauthenticated remote attackers to execute arbitrary code, escalate privileges, or deliver ransomware inside virtual environments.
Researchers say exploitation is trivial and could enable attackers to pivot across entire data centers. The vulnerability affects ESXi 7.x and some 8.x builds, with exploits reportedly circulating in underground forums since late July.
Security teams have responded slowly, as reflected in the numbers: Shadowserver’s scans over three weeks show a reduction of less than 1,000 vulnerable instances, barely 5% of those at risk. Experts attribute sluggish patching to complex upgrade processes, downtime concerns, and poor awareness.
Many exposed ESXi hosts are directly accessible from the internet, compounding risk and inviting mass exploitation campaigns.
- Patch Immediately: Organizations running unpatched ESXi versions must deploy VMware’s official security updates without delay.
- Check Exposure: Use public scanning tools or vendor advisories to check whether your environments are exposed.
- Restrict Access: Limit internet-facing management interfaces and enforce strong authentication policies.
The continued existence of thousands of internet-exposed, unpatched ESXi servers signals an urgent need for improved security hygiene and accelerated vulnerability management efforts. With global cybercriminals actively seeking to exploit CVE-2025-41236, time is of the essence.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source: cybersecuritynews.com
