Vmware Esxi Zero-days Likely Exploited A Year Before Disclosure (2026)

Chinese-speaking threat actors used a compromised SonicWall VPN appliance to deliver a VMware ESXi exploit toolkit that seems to have been developed more than a year before the targeted vulnerabilities became publicly known.

In attacks from December 2025 analyzed by Huntress, managed security company, the hackers used a sophisticated virtual machine (VM) escape that likely exploited three VMware vulnerabilities disclosed as zero-days in March 2025.

Of the three bugs, only one received a critical severity score:

At the time of the disclosure, Broadcom warned that the security issues could be chained by attackers with administrator privileges to escape the VM and gain access to the underlying hypervisor.

However, a new report from Huntress provides clues indicating that vulnerabilities may have been chained into an exploit since at least February 2024.

The researchers found in the PDB paths of exploit binaries a folder named "2024_02_19," suggesting that the package was developed as a potential zero-day exploit.

Furthermore, from the name of the folder, which translates to "All/Full version escape - delivery," it could be inferred that the intended target was ESXi 8.0 Update 3.

Huntress assesses that initial access likely came through a compromised SonicWall VPN. The attacker used a compromised Domain Admin account to pivot via RDP to domain controllers, stage data for exfiltration, and run an exploit chain that breaks out of a guest VM into the ESXi hypervisor.

The exploit toolkit involved the following components:

The researchers found more clues pointing to the build date of the toolkit. A PDB path embedded in the 'client.exe' binary has a folder named "2023_11_02."

Source: BleepingComputer