VMware ESXi Ransomware Campaign Exploits Year-Old Vulnerability in Unpatched Servers

A new ransomware campaign dubbed "ESXiCrypt" is mass-exploiting CVE-2025-21985, a known heap overflow vulnerability in VMware ESXi's OpenSLP service, to encrypt virtual machines on unpatched hypervisors. Over 3,500 servers have been compromised worldwide in the past two weeks.

The vulnerability was patched by VMware in March 2025, but Shodan scans reveal that approximately 18,000 ESXi servers remain unpatched and internet-accessible. The ransomware targets the vmdk, vmx, and vmxf files that comprise virtual machine disk images and configurations.

The attackers demand 2 Bitcoin (approximately $140,000) per server for the decryption key. Unlike typical ransomware that encrypts the entire file, ESXiCrypt only encrypts the first 50MB of each vmdk file, dramatically speeding up the encryption process and making recovery more difficult.

Broadcom (which acquired VMware) has re-issued the security advisory with updated urgency ratings and is offering free emergency support to affected customers. The company has also released a detection script that administrators can run to determine if their ESXi installations are vulnerable.

Organizations running VMware ESXi are urged to immediately apply the patch, disable the OpenSLP service if not needed, restrict management network access, and ensure that ESXi management interfaces are not exposed to the internet.