Executive Summary
In late 2025, threat researchers identified a series of intrusions targeting VMware ESXi hypervisors via a zero-day toolkit attributed to a Chinese-speaking advanced persistent threat group. The attackers initially gained access by compromising a SonicWall VPN device and pivoted through privileged domain accounts, leveraging sophisticated VM escape exploits that chained three ESXi zero-day vulnerabilities (CVE-2025-22226, CVE-2025-22224, and CVE-2025-22225) developed more than a year before disclosure. The exploit chain enabled lateral movement, data staging for exfiltration, and installation of stealth persistence backdoors, placing numerous enterprise virtualization environments at sustained risk for data breach and operational disruption.
This incident exemplifies the escalating sophistication of APT operations, underlining the risks posed by supply chain weaknesses, late vulnerability reporting, and the ability of attackers to evade common monitoring. The case also highlights growing regulatory scrutiny on zero-day management and east-west traffic visibility within critical infrastructure.
Why This Matters Now
Zero-day attacks targeting hypervisors can undermine cloud and virtualized infrastructure at scale, often before detection tools catch up. Organizations face heightened urgency to patch, monitor lateral movement, and improve segmentation, as attackers increasingly blend advanced exploits with living-off-the-land techniques and supply chain entry vectors.
Attack Path Analysis
The attacker initially compromised the target network through a vulnerable SonicWall VPN appliance, leveraging this access and stolen domain admin credentials to escalate privileges. They moved laterally via RDP into key systems, ultimately delivering a custom VM escape exploit chain to compromise the ESXi hypervisor. The adversary established covert command and control through a VSOCK-based backdoor, bypassing traditional monitoring channels. Data staging and exfiltration were then conducted over controlled channels, and malicious persistence or further disruptive impact was possible through deployment of a hypervisor-level backdoor.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited a vulnerable SonicWall VPN to gain network access.
Related CVEs
CVE-2025-22224
CVSS 9.3A TOCTOU vulnerability in VMware ESXi and Workstation allows a local attacker with administrative privileges to execute code as the VMX process on the host.
Affected Products:
VMware ESXi – 7.0 prior to 7.0 Update 3s, 8.0 Update 2 prior to 8.0 Update 2d, 8.0 Update 3 prior to 8.0 Update 3d
VMware Workstation – 17.x prior to 17.6.3
Exploit Status:
exploited in the wildCVE-2025-22225
CVSS 8.2An arbitrary write vulnerability in VMware ESXi allows a malicious actor with privileges within the VMX process to trigger an arbitrary kernel write, leading to a sandbox escape.
Affected Products:
VMware ESXi – 7.0 prior to 7.0 Update 3s, 8.0 Update 2 prior to 8.0 Update 2d, 8.0 Update 3 prior to 8.0 Update 3d
Exploit Status:
exploited in the wildCVE-2025-22226
CVSS 7.1An out-of-bounds read vulnerability in VMware ESXi, Workstation, and Fusion allows a malicious actor to leak memory from the VMX process.
Affected Products:
VMware ESXi – 7.0 prior to 7.0 Update 3s, 8.0 Update 2 prior to 8.0 Update 2d, 8.0 Update 3 prior to 8.0 Update 3d
VMware Workstation – 17.x prior to 17.6.3
VMware Fusion – 13.x prior to 13.6.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Initial mapping of MITRE ATT&CK techniques for SEO and filtering; deeper enrichment with full STIX/TAXII context can be provided in subsequent analysis.
External Remote Services
Valid Accounts: Domain Accounts
Remote Services: Remote Desktop Protocol
Exploitation for Privilege Escalation
Hardware Additions
Process Injection
System Services: Service Execution
Ingress Tool Transfer
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Unique Authentication Credentials
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 10(1)
CISA ZTMM 2.0 – Continuous User and Device Validation
Control ID: Access: Device and User Authentication
NIS2 Directive – Incident Handling and Response
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Critical exposure to VMware ESXi zero-day exploits enabling VM escape and hypervisor compromise, requiring immediate patching and enhanced virtualization security measures.
Health Care / Life Sciences
Virtualized patient systems vulnerable to APT attacks via ESXi exploitation, risking HIPAA compliance violations and protected health information exposure through hypervisor backdoors.
Financial Services
Banking infrastructure using VMware virtualization faces critical risk from Chinese APT groups exploiting zero-day vulnerabilities to access financial data and trading systems.
Government Administration
Government agencies with ESXi deployments face nation-state threats exploiting year-old zero-days, compromising classified systems and critical infrastructure through VM escape techniques.
Sources
- VMware ESXi zero-days likely exploited a year before disclosurehttps://www.bleepingcomputer.com/news/security/vmware-esxi-zero-days-likely-exploited-a-year-before-disclosure/Verified
- Broadcom urges VMware customers to patch ‘emergency’ zero-day bugs under active exploitationhttps://techcrunch.com/2025/03/05/broadcom-urges-vmware-customers-to-patch-emergency-zero-day-bugs-under-active-exploitation/Verified
- Over 37,000 VMware ESXi servers vulnerable to ongoing attackshttps://www.bleepingcomputer.com/news/security/over-37-000-vmware-esxi-servers-vulnerable-to-ongoing-attacks/Verified
- Alert: VMware Security Updates – March 2025https://cyber.gov.rw/updates/article/alert-vmware-security-updates-march-2025/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, enforced lateral movement controls, inline threat inspection, policy-based egress filtering, and comprehensive visibility would have significantly constrained each phase of this advanced attack by limiting unauthorized access, segmenting workloads, and detecting anomalous actions across the hybrid environment.
Control: Cloud Firewall (ACF)
Mitigation: Blocked unauthorized inbound VPN exploitation attempts.
Control: Zero Trust Segmentation
Mitigation: Prevented escalation paths by restricting high-privilege access movements.
Control: East-West Traffic Security
Mitigation: Detected and blocked unauthorized lateral east-west movement.
Control: Threat Detection & Anomaly Response
Mitigation: Detected anomalous backdoor communications in real-time.
Control: Egress Security & Policy Enforcement
Mitigation: Detected and blocked unauthorized outbound data transfers.
Blocked exploit payloads targeting hypervisor and prevented persistence mechanisms.
Impact at a Glance
Affected Business Functions
- Virtualization Infrastructure
- Cloud Services
- Data Center Operations
Estimated downtime: 5 days
Estimated loss: $500,000
Potential unauthorized access to sensitive data hosted on virtual machines due to hypervisor compromise.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce least privilege and microsegmentation policies for all management and hypervisor traffic to contain identity compromise and lateral movement.
- • Deploy centralized cloud firewalls and egress controls to strictly limit VPN and outbound data flows.
- • Integrate real-time threat detection and anomaly monitoring on east-west and workload-to-workload communication flows.
- • Implement inline IPS/IDS capabilities to prevent exploitation of known and emerging hypervisor vulnerabilities.
- • Maintain comprehensive, continuous visibility and incident response processes across hybrid and multi-cloud control planes.
