"Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed as far back as February 2024. Cybersecurity firm Huntress, which observed the activity in December 2025 and stopped it before it could progress to the final stage, said it may have resulted in a ransomware attack."
"Most notably, the attack is believed to have exploited three VMware vulnerabilities that were disclosed as zero-days by Broadcom in March 2025: CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1). Successful exploitation of the issue could permit a malicious actor with admin privileges to leak memory from the Virtual Machine Executable (VMX) process or execute code as the VMX process."
Activity observed in December 2025 targeted VMware ESXi through a compromised SonicWall VPN appliance used as initial access. The exploit set appears developed as early as February 2024 and weaponizes three zero-day VMware vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226), enabling VMX memory leaks or code execution. CISA added the flaws to the Known Exploited Vulnerabilities catalog. The toolkit contains simplified Chinese development paths and a folder named '全版本逃逸--交付' suggesting a Chinese-speaking developer. The exploit uses HGFS for information leakage, VMCI for memory corruption, and kernel-escaping shellcode; 'exploit.exe' (MAESTRO) acts as the orchestrator.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]