Exploit for VMware Zero-Day Flaws Likely Built a Year Before Public Disclosure - SecurityWeek

A Chinese threat actor built an exploit for three VMware ESXi vulnerabilities that were patched in March 2025 over a year before public disclosure, cybersecurity firm Huntress reports. The three bugs, tracked as CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226, and named ESXicape, allow privileged attackers to execute arbitrary code and escape the VM to compromise the hypervisor itself. VMware owner Broadcom warned last year that the three flaws had been exploited in the wild as zero-days, but did not share information on the attacks. Now, Huntress says a threat actor has attempted to exploit the VMware ESXi vulnerabilities in December 2025, in an attack likely involving ransomware. Initial access to the targeted environment, Huntress says, was obtained through a compromised SonicWall VPN instance. The hackers then abused a Domain Admin (DA) account to access the primary domain controller and then deployed the ESXi exploit toolkit. As part of the attack, the hackers modified the Windows firewall to block the victim’s access to external networks, harvested data for exfiltration, and then executed the exploit, which escapes the VM and deploys a backdoor on the ESXi hypervisor. Analysis of the VMware exploit, Huntress says, suggests it was developed by a well-resourced threat actor likely operating in a Chinese-speaking region. The toolkit “was potentially built as a zero-day exploit over a year before VMware’s public disclosure,” the cybersecurity firm says. Based on timestamps in the exploit’s binaries, Huntress believes that the exploit might be dated February 2024. A VSOCK communication tool used in the attack was likely created in November 2023. “This exploit toolkit supports 155 ESXi builds spanning versions 5.1 through 8.0. If you are running end-of-life versions, you are exposed with no fix available,” Huntress notes. Organizations are advised to apply patches for these VMware ESXi vulnerabilities as soon as possible. Data from The Shadowserver Foundation shows that, as of January 8, 2026, over 30,000 internet-exposed ESXi instances could be vulnerable to CVE-2025-22224. These deployments might be affected by other bugs as well. Related: CISA Adds Exploited XWiki, VMware Flaws to KEV Catalog Related: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability Related: VMware Flaws That Earned Hackers $340,000 at Pwn2Own Patched Related: NATO-Flagged Vulnerability Tops Latest VMware Security Patch Batch WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Bold Security Emerges From Stealth With $40 Million in Funding Google Paid Out $17 Million in Bug Bounty Rewards in 2025 Onyx Security Launches With $40 Million in Funding Chrome 146 Update Patches Two Exploited Zero-Days Ally WordPress Plugin Flaw Exposes Over 200,000 Websites to Attacks Splunk, Zoom Patch Severe Vulnerabilities Cisco Patches High-Severity IOS XR Vulnerabilities Critical N8n Vulnerabilities Allowed Server Takeover Latest News Oracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential Impact Security Firm Executive Targeted in Sophisticated Phishing Attack China-Linked Hackers Hit Asian Militaries in Patient Espionage Operation Threat Actor Targeting VPN Users in New Credential Theft Campaign ForceMemo: Python Repositories Compromised in GlassWorm Aftermath Hacking Attempt Reported at Poland’s Nuclear Research Center Loblaw Data Breach Impacts Customer Information Critical HPE AOS-CX Vulnerability Allows Admin Password Resets Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security And Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move The US Senate has confirmed Army Lt. Gen. Joshua Rudd to lead NSA and CYBERCOM. Business software company Rippling has appointed Adrian Ludwig as CSO. Orca Security has named Rachel Nislick as Chief Marketing Officer. More People On The Move Expert Insights The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat As Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How To Eliminate The Technical Debt Of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Email