China-linked cybercriminals weaponized VMware ESXi zero-days a year early

TL;DR

Huntress says a China-linked group had a working ESXi hypervisor escape toolkit developed well before VMware publicly disclosed related vulnerabilities. The intruders used a compromised SonicWall VPN to gain Domain Admin access, pivot across networks, and deploy tools that escaped guest VMs to run on ESXi hosts.

What happened

Researchers at Huntress analyzed an intrusion observed in December 2025 in which attackers used a multi-component toolkit to escape from virtual machines and execute code on VMware ESXi hypervisors. The intrusion chain started with a compromised SonicWall VPN appliance, which the attackers leveraged to obtain a Domain Admin account and move laterally. Huntress found binaries and build artifacts containing simplified Chinese strings and folder names indicating an "All version escape – delivery" intent, with timestamps suggesting development activity as early as February 2024. The toolkit reportedly chained multiple flaws to break out of guest VMs, a set of issues VMware later tracked as CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226 and disclosed in March 2025. During the incident the attackers disabled VMware drivers, loaded unsigned kernel modules, and maintained stealthy command-and-control communications. The toolkit supported over 150 ESXi builds, potentially widening its impact had it not been disrupted.

Why it matters

• VM escape bypasses virtualization isolation, letting attackers affect the host and all hosted VMs.
• Evidence of weaponization long before public disclosure shortens defenders' window to respond once vulnerabilities are revealed.
• Support for 150+ ESXi builds increases the potential attack surface across enterprises using diverse versions.
• Stealthy techniques such as disabling drivers and loading unsigned kernel modules make detection and remediation more difficult.

Key facts

• Huntress analyzed an intrusion observed in December 2025.
• Binaries and folders contained simplified Chinese strings and labels suggesting the kit’s origin and intent.
• Researchers say development activity for the toolkit dates back to about February 2024.
• VMware assigned CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226 to the flaws and disclosed them in March 2025.
• Initial access in the observed incident came via a compromised SonicWall VPN appliance.
• Attackers escalated to a Domain Admin account and pivoted across the network before targeting ESXi hosts.
• The toolkit chained multiple flaws to escape guest VMs and execute on the ESXi hypervisor.
• Operators disabled VMware drivers, loaded unsigned kernel modules, and kept command-and-control traffic stealthy.
• The toolkit was capable of affecting more than 150 ESXi builds, per Huntress.

What to watch next

• Patch ESXi hosts for the CVEs disclosed in March 2025 (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) and verify patch deployment across builds.
• Monitor for disabled VMware drivers, the presence of unsigned kernel modules, and anomalous hypervisor-level activity.
• Watch for signs of lateral movement from VPN appliances and for long-dwelling intrusions that aim to avoid detection.

Quick glossary

• VM escape: A vulnerability or technique that allows code running inside a virtual machine to break out and execute on the host or other guest VMs.
• Hypervisor: Software that creates and runs virtual machines by managing the host hardware and isolating guest operating systems.
• Kernel module: A piece of code that can be loaded into the operating system kernel to extend functionality, such as device drivers; unsigned modules may be blocked by security controls.
• Zero-day: A previously unknown software vulnerability that has not yet been patched by the vendor and for which no official fix is available at discovery time.
• Domain Admin: A high-privilege account in Windows domains with broad administrative control over networked resources.

Reader FAQ

Who carried out the attacks?
Huntress describes the operators as China-linked cybercriminals.

When were the related vulnerabilities publicly disclosed?
VMware disclosed the issues in March 2025 (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226).

Were the exploits used before disclosure?
Huntress reports development activity beginning around February 2024 and observed the toolkit in use in December 2025, indicating weaponization prior to the public disclosure.

How did the attackers gain initial access?
The intrusion began with a compromised SonicWall VPN appliance, per Huntress.

Are the specific victim organizations named?
not confirmed in the source

VIRTUALIZATION China-linked cybercrims abused VMware ESXi zero-days a year before disclosure Huntress analysis suggests VM escape bugs were already weaponized in the wild Carly Page Fri 9 Jan 2026 // 13:28 UTC Chinese-linked cybercriminals…

Sources

• China-linked cybercrims abused VMware ESXi zero-days a year before disclosure
• Exploit for VMware Zero-Day Flaws Likely Built a Year …
• Chinese-speaking hackers exploited ESXi zero-days long …
• China crew abused ESXi zero-days a year before disclosure

Related posts

• Minneapolis videos show civilians risking lives to record ICE shooting
• Why MCP’s Popularity Is Likely Temporary: Architectural Risks and Limits
• MCP Is a Fad — The Server-Based Tool Protocol’s Flaws and Risks