A Chinese language menace actor constructed an exploit for 3 VMware ESXi vulnerabilities that have been patched in March 2025 over a yr earlier than public disclosure, cybersecurity agency Huntress experiences.
The three bugs, tracked as CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226, and named ESXicape, permit privileged attackers to execute arbitrary code and escape the VM to compromise the hypervisor itself.
VMware proprietor Broadcom warned final yr that the three flaws had been exploited within the wild as zero-days, however didn’t share info on the assaults.
Now, Huntress says a menace actor has tried to use the VMware ESXi vulnerabilities in December 2025, in an assault possible involving ransomware.
Preliminary entry to the focused atmosphere, Huntress says, was obtained by means of a compromised SonicWall VPN occasion.
The hackers then abused a Area Admin (DA) account to entry the first area controller after which deployed the ESXi exploit toolkit.Commercial. Scroll to proceed studying.
As a part of the assault, the hackers modified the Home windows firewall to dam the sufferer’s entry to exterior networks, harvested information for exfiltration, after which executed the exploit, which escapes the VM and deploys a backdoor on the ESXi hypervisor.
Evaluation of the VMware exploit, Huntress says, suggests it was developed by a well-resourced menace actor possible working in a Chinese language-speaking area.
The toolkit “was doubtlessly constructed as a zero-day exploit over a yr earlier than VMware’s public disclosure,” the cybersecurity agency says.
Primarily based on timestamps within the exploit’s binaries, Huntress believes that the exploit is perhaps dated February 2024. A VSOCK communication instrument used within the assault was possible created in November 2023.
“This exploit toolkit helps 155 ESXi builds spanning variations 5.1 by means of 8.0. In case you are operating end-of-life variations, you might be uncovered with no repair accessible,” Huntress notes.
Organizations are suggested to use patches for these VMware ESXi vulnerabilities as quickly as potential.
Information from The Shadowserver Basis reveals that, as of January 8, 2026, over 30,000 internet-exposed ESXi cases might be weak to CVE-2025-22224. These deployments is perhaps affected by different bugs as effectively.
Associated: CISA Provides Exploited XWiki, VMware Flaws to KEV Catalog
Associated: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability
Associated: VMware Flaws That Earned Hackers $340,000 at Pwn2Own Patched
Associated: NATO-Flagged Vulnerability Tops Newest VMware Safety Patch Batch
