Evidence of Early Exploitation and Hypervisor Compromise
New research from Huntress indicates that threat actors were exploiting VMware ESXi vulnerabilities more than a year before they were publicly disclosed. The findings suggest a mature exploit chain was already in use as early as February 2024, well ahead of Broadcom’s March 2025 zero-day advisory.
The activity was uncovered during an investigation into attacks observed in December 2025. According to Huntress, the intrusion began with a compromised SonicWall VPN appliance, which provided attackers with an initial foothold into the environment. From there, they escalated privileges, moved laterally through domain controllers, and ultimately deployed an exploit chain that escaped a guest virtual machine and compromised the underlying ESXi hypervisor.
The Vulnerabilities Involved
Huntress believes the attackers likely chained three VMware vulnerabilities disclosed by Broadcom in March 2025. These include CVE-2025-22226, an out-of-bounds read in HGFS that allows memory leakage from the VMX process; CVE-2025-22224, a critical VMCI time-of-check time-of-use flaw enabling out-of-bounds writes and code execution; and CVE-2025-22225, an arbitrary write vulnerability that enables escape from the VMX sandbox into the kernel.
At the time of disclosure, Broadcom warned that attackers with administrative privileges could combine these flaws to break out of a virtual machine and gain access to the hypervisor. Huntress now reports that the behavior observed in their investigation closely matches this exploitation pattern, suggesting the same vulnerability chain may have been weaponized long before it became publicly known.
While the researchers cannot confirm with absolute certainty that the toolkit uses the exact vulnerabilities described by Broadcom, the exploit’s mechanics align with the documented weaknesses, including HGFS-based information leakage, VMCI memory corruption, and kernel-level sandbox escape.
Evidence of Early Development
Forensic analysis revealed multiple indicators pointing to long-term development of the exploit framework. Embedded build paths inside the binaries reference dates from late 2023 and early 2024, including folder names translated as “full version escape – delivery,” likely targeting ESXi 8.0 Update 3. Additional artifacts suggest the exploit components were part of a broader toolkit that separated exploitation from post-compromise tooling.
This modular design allows attackers to retain the same infrastructure and operational framework while swapping in new vulnerabilities as patches are released. In practice, that means the tooling itself can remain effective even as individual exploits are burned or replaced.
How the Attack Operated
Huntress determined that the attackers first gained access through a compromised SonicWall VPN appliance, then leveraged a compromised Domain Admin account to escalate privileges. From there, they pivoted laterally through domain controllers, staged data for exfiltration, and ultimately executed a virtual machine escape exploit that allowed them to break out of the guest environment and gain direct access to the ESXi host.
The exploit toolkit included multiple components designed to automate and conceal the attack. A Windows-based controller coordinated the VM escape, an unsigned kernel driver performed memory manipulation and sandbox bypass, and an ESXi-resident backdoor provided command execution and file transfer using VSOCK. By communicating over VSOCK, the attackers were able to bypass many traditional network monitoring controls, further reducing the likelihood of detection.
Attribution Signals
While Huntress stopped short of definitive attribution, several indicators suggest the toolkit was developed by a well-resourced actor operating in a Chinese-speaking region. Some build paths contained simplified Chinese, while other components included English-language documentation. Researchers noted that this combination may indicate intent to share or commercialize the capability among other threat groups.
When Exposures Connect, Infrastructure Falls
This intrusion did not start at the hypervisor. It began with exposed remote access, escalated through compromised credentials, and only then leveraged advanced infrastructure flaws. Individually, each weakness was manageable. Together, they formed a complete attack path that delivered control of the virtualization layer, bypassing many of the safeguards organizations depend on to detect and contain threats.
The significance isn’t just the use of zero-days, but how long this activity likely went undetected. Working below the operating system limits traditional visibility and turns a single entry point into systemic risk. Preventing attacks of this class requires continuous insight into how exposures connect, validation of what can actually be exploited, and prioritization based on real attack paths, not assumptions.
