Chinese-speaking threat actors used a compromised SonicWall VPN appliance to deliver a VMware ESXi exploit toolkit that seems to have been developed more than a year before the targeted vulnerabilities became publicly known.
In attacks from December 2025 analyzed by Huntress, managed security company, the hackers used a sophisticated virtual machine (VM) escape that likely exploited three VMware vulnerabilities disclosed as zero-days in March 2025.
Of the three bugs, only one received a critical severity score:
- CVE-2025-22226 (7.1 severity score): An out-of-bounds read in HGFS that allows leaking memory from the VMX process
- CVE-2025-22224 (9.3 severity score): A TOCTOU vulnerability in Virtual Machine Communication Interface (VMCI) leading to an out-of-bounds write, allowing code execution as the VMX process
- CVE-2025-22225 (8.2 severity score): An arbitrary write vulnerability in ESXi that allows escaping the VMX sandbox to the kernel
At the time of the…
