China-linked cybercrims abused VMware ESXi zero-days a year before disclosure

Steven

China-linked cybercrims abused VMware ESXi zero-days a year before disclosure

Summary

Huntress reports that China-linked attackers were using a VMware ESXi VM-escape toolkit in December 2025 that appears to have been under development as early as February 2024 — roughly a year before VMware publicly disclosed related vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226). The intrusion began with a compromised SonicWall VPN appliance, escalated to a Domain Admin account, and pivoted across the network to deploy a suite of tools that escaped guest VMs and executed code on the ESXi hypervisor. The toolkit targeted many ESXi builds, disabled VMware drivers, loaded unsigned kernel modules and employed stealthy “phone home” behaviours to avoid detection.

Key Points

  • Huntress observed an intrusion in Dec 2025 using a VM escape toolkit with development traces back to Feb 2024.
  • Initial access came from a compromised SonicWall VPN, enabling Domain Admin compromise and lateral movement.
  • The attack chain leveraged vulnerabilities later tracked as CVE-2025-22224/22225/22226 to break out of guest VMs to the hypervisor.
  • Binaries contained Simplified Chinese strings and folder names suggesting regional origin and intent.
  • The toolkit supported 150+ ESXi builds, disabled VMware drivers, loaded unsigned kernel modules and used covert exfiltration techniques.

Context and relevance

VM escape undermines the core isolation guarantees of virtualisation and can expose entire virtual infrastructures. This case shows advanced actors can weaponise zero-days well before public disclosure and maintain long, quiet access inside enterprises — a pattern seen in prior China-linked campaigns such as Volt Typhoon. Organisations running ESXi should prioritise hypervisor patching, strict network segmentation, driver/module integrity controls and vigilant detection of lateral movement.

Why should I read this

Look — if you run ESXi or manage virtual estates, this is proper worrying. Skilled attackers had working code to jump from VMs to the hypervisor long before vendors warned anyone. Read this so you don’t get caught out: patch, harden your hypervisors and lock down admin paths.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/09/china_esxi_zerodays/