Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Exploit for VMware Zero-Day Flaws Likely Built a Year Before Public Disclosure

Fresh attacks targeted three VMware ESXi vulnerabilities that were disclosed in March 2025 as zero-days.

VMware

A Chinese threat actor built an exploit for three VMware ESXi vulnerabilities that were patched in March 2025 over a year before public disclosure, cybersecurity firm Huntress reports.

The three bugs, tracked as CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226, and named ESXicape, allow privileged attackers to execute arbitrary code and escape the VM to compromise the hypervisor itself.

VMware owner Broadcom warned last year that the three flaws had been exploited in the wild as zero-days, but did not share information on the attacks.

Now, Huntress says a threat actor has attempted to exploit the VMware ESXi vulnerabilities in December 2025, in an attack likely involving ransomware.

Initial access to the targeted environment, Huntress says, was obtained through a compromised SonicWall VPN instance.

The hackers then abused a Domain Admin (DA) account to access the primary domain controller and then deployed the ESXi exploit toolkit.

Advertisement. Scroll to continue reading.

As part of the attack, the hackers modified the Windows firewall to block the victim’s access to external networks, harvested data for exfiltration, and then executed the exploit, which escapes the VM and deploys a backdoor on the ESXi hypervisor.

Analysis of the VMware exploit, Huntress says, suggests it was developed by a well-resourced threat actor likely operating in a Chinese-speaking region.

The toolkit “was potentially built as a zero-day exploit over a year before VMware’s public disclosure,” the cybersecurity firm says.

Based on timestamps in the exploit’s binaries, Huntress believes that the exploit might be dated February 2024. A VSOCK communication tool used in the attack was likely created in November 2023.

“This exploit toolkit supports 155 ESXi builds spanning versions 5.1 through 8.0. If you are running end-of-life versions, you are exposed with no fix available,” Huntress notes.

Organizations are advised to apply patches for these VMware ESXi vulnerabilities as soon as possible.

Data from The Shadowserver Foundation shows that, as of January 8, 2026, over 30,000 internet-exposed ESXi instances could be vulnerable to CVE-2025-22224. These deployments might be affected by other bugs as well.

Related: CISA Adds Exploited XWiki, VMware Flaws to KEV Catalog

Related: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability

Related: VMware Flaws That Earned Hackers $340,000 at Pwn2Own Patched

Related: NATO-Flagged Vulnerability Tops Latest VMware Security Patch Batch

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.