Chinese-speaking threat actors used a compromised SonicWall VPN appliance to deliver a VMware ESXi exploit toolkit that seems to have been developed more than a year before the targeted vulnerabilities became publicly known.
In attacks from December 2025 analyzed by Huntress, managed security company, the hackers used a sophisticated virtual machine (VM) escape that likely exploited three VMware vulnerabilities disclosed as zero-days in March 2025.
Of the three bugs, only one received a critical severity score:
CVE-2025-22226 (7.1 severity score): An out-of-bounds read in HGFS that allows leaking memory from the VMX process
(7.1 severity score): An out-of-bounds read in HGFS that allows leaking memory from the VMX process CVE-2025-22224 (9.3 severity score): A TOCTOU vulnerability in Virtual Machine Communication Interface (VMCI) leading to an out-of-bounds write, allowing code execution as the VMX process
(9.3 severity score): A TOCTOU vulnerability in Virtual Machine Communication Interface (VMCI) leading to an out-of-bounds write, allowing code execution as the VMX process CVE-2025-22225 (8.2 severity score): An arbitrary write vulnerability in ESXi that allows escaping the VMX sandbox to the kernel
At the time of the disclosure, Broadcom warned that the security issues could be chained by attackers with administrator privileges to escape the VM and gain access to the underlying hypervisor.
However, a new report from Huntress provides clues indicating that vulnerabilities may have been chained into an exploit since at least February 2024.
The researchers found in the PDB paths of exploit binaries a folder named "2024_02_19," suggesting that the package was developed as a potential zero-day exploit.
C:\Users\test\Desktop\2024_02_19\全版本逃逸--交付\report\ESXI_8.0u3\
... continue reading