Chinese-speaking hackers exploited ESXi zero-days long before disclosure

vm_admin
Chinese-speaking hackers exploited ESXi zero-days long before disclosure

Chinese-speaking hackers exploited ESXi zero-days long before disclosure

Pierluigi Paganini
January 09, 2026

Chinese-speaking attackers used a hacked SonicWall VPN to deploy ESXi zero-days that were likely exploited over a year before public disclosure.

Chinese-speaking attackers were seen abusing a hacked SonicWall VPN to deliver a toolkit targeting VMware ESXi.

The exploit chain included a sophisticated VM escape and appears to have been developed more than a year before the related VMware flaws were publicly disclosed. Analysis of attacks observed in December 2025 suggests the group had early knowledge of three ESXi zero-day vulnerabilities later revealed in March 2025, indicating long-term, covert exploitation of unknown flaws.

In December 2025, Huntress researchers detected an intrusion that led to the deployment of a VMware ESXi exploit toolkit, with initial access attributed to a compromised…

Related Posts

Killing VMware
Killing VMware

When Broadcom bought VMware for $69 billion last November, we knew there would be changes. What we didn’t know is…