A Chinese threat actor built an exploit for three VMware ESXi vulnerabilities that were patched in March 2025 over a year before public disclosure, cybersecurity firm Huntress reports.
The three bugs, tracked as CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226, and named ESXicape, allow privileged attackers to execute arbitrary code and escape the VM to compromise the hypervisor itself.
VMware owner Broadcom warned last year that the three flaws had been exploited in the wild as zero-days, but did not share information on the attacks.
Now, Huntress says a threat actor has attempted to exploit the VMware ESXi vulnerabilities in December 2025, in an attack likely involving ransomware.
Initial access to the targeted environment, Huntress says, was obtained through a compromised SonicWall VPN instance.
The hackers then abused a Domain Admin (DA) account to access the primary domain controller and then deployed the ESXi exploit toolkit.
As part of the attack, the hackers modified the Windows firewall to block the victim’s access to external networks, harvested data for exfiltration, and then executed the exploit, which escapes the VM and deploys a backdoor on the ESXi hypervisor.
Analysis of the VMware exploit, Huntress says, suggests it was developed by a well-resourced threat actor likely operating in a Chinese-speaking region.
The toolkit “was potentially built as a zero-day exploit over a year before VMware’s public disclosure,” the cybersecurity firm says.
Based on timestamps in the exploit’s binaries, Huntress believes that the exploit might be dated February 2024. A VSOCK communication tool used in the attack was likely created in November 2023.
“This exploit toolkit supports 155 ESXi builds spanning versions 5.1 through 8.0. If you are running end-of-life versions, you are exposed with no fix available,” Huntress notes.
Organizations are advised to apply patches for these VMware ESXi vulnerabilities as soon as possible.
Data from The Shadowserver Foundation shows that, as of January 8, 2026, over 30,000 internet-exposed ESXi instances could be vulnerable to CVE-2025-22224. These deployments might be affected by other bugs as well.
Related: CISA Adds Exploited XWiki, VMware Flaws to KEV Catalog
Related: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability
Related: VMware Flaws That Earned Hackers $340,000 at Pwn2Own Patched
Related: NATO-Flagged Vulnerability Tops Latest VMware Security Patch Batch
