China-Linked Hackers Exploit VMware ESXi Zero-Days to Escape Virtual Machines

Top 5 this week

China-Linked Hackers Exploit VMware ESXi Zero-Days to Escape Virtual Machines

Trend Micro Apex Central RCE Flaw Scores 9.8 CVSS in On-Prem Windows Versions

CISA Retires 10 Emergency Cybersecurity Directives Issued Between 2019 and 2024

Cisco Patches ISE Security Vulnerability After Public PoC Exploit Release

Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances

Threat actors who speak Chinese are suspected of using a compromised SonicWall VPN appliance as a first point of access to launch a VMware ESXi exploit that may have been created as early as February 2024. It may have been a ransomware attack, according to cybersecurity company Huntress, which saw the activity in December 2025 and halted it before it could reach the final stage. Most notably, three VMware vulnerabilities—CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1)—that Broadcom revealed as zero-days in March 2025 are thought to have been exploited by the attack.

If the problem is successfully exploited, a malicious actor with administrator privileges may be able to execute code as the Virtual Machine Executable (VMX) process or leak memory from the VMX process. The same month, the U.S. It's interesting to note that the GetShell Plugin is dropped into the Windows virtual machine (VM) as a ZIP archive ("Binary.zip"), which also contains a README file with usage instructions that provides an overview of its command execution and file transfer capabilities.

Although the identity of the toolkit's creator is still unknown, the use of simplified Chinese, the intricacy of the attack chain, and the exploitation of zero-day vulnerabilities months before they were made public all suggest that Huntress is a well-resourced developer working in a Chinese-speaking area.

"This intrusion demonstrates a sophisticated, multi-stage attack chain designed to escape virtual machine isolation and compromise the underlying ESXi hypervisor," the business continued. "The threat actor accomplished what every virtual machine administrator dreads: complete control of the hypervisor from within a guest VM by chaining an information leak, memory corruption, and sandbox escape." "The use of VSOCK for backdoor communication is especially worrisome because it completely avoids conventional network monitoring, making detection much more difficult.

Additionally, the toolkit puts stealth ahead of perseverance.

Top 5 this week