"Chinese-linked cybercriminals were sitting on a working VMware ESXi hypervisor escape kit more than a year before the bugs it relied on were made public. That's according to researchers at Huntress, who this week published a breakdown of an intrusion they observed in December 2025 in which a "sophisticated" toolkit was used to break out of virtual machines and target the ESXi hypervisor itself."
"The incident began in a very unglamorous way - with a compromised SonicWall VPN appliance. From there, the attackers were able to commandeer a Domain Admin account, pivot across the network, and eventually deploy a suite of tools that Huntress says exploited multiple flaws to escape a guest VM and reach the underlying ESXi hypervisor. VM escape bugs are particularly serious because they break a promise virtualization is built on: that a hacked VM stays in its own box."
"Huntress's analysis of the binaries revealed development paths with simplified Chinese strings and folders labeled with Chinese text meaning "All version escape - delivery," hinting at the region and intent behind the work. What's more, the researchers say the code carried timestamps showing it was put together well before VMware acknowledged or fixed the vulnerabilities. Those flaws - tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 -"
Chinese-linked actors developed and retained a functioning VMware ESXi hypervisor escape kit with development traces dating to February 2024. The toolkit was used in a December 2025 intrusion that began with a compromised SonicWall VPN appliance, escalated to a Domain Admin account, and involved lateral movement across the network. Attackers deployed tools that chained multiple flaws to escape a guest VM and execute code on the ESXi hypervisor. Binaries included simplified Chinese strings and folders marked "All version escape - delivery," and timestamps indicated assembly well before VMware issued fixes for the tracked CVEs.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]