惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
WordPress大学
WordPress大学
宝玉的分享
宝玉的分享
人人都是产品经理
人人都是产品经理
博客园 - 聂微东
IT之家
IT之家
V
V2EX
Jina AI
Jina AI
V
Visual Studio Blog
有赞技术团队
有赞技术团队
博客园 - 司徒正美
博客园 - 叶小钗
The Cloudflare Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
小众软件
小众软件
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - 三生石上(FineUI控件)
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Google DeepMind News
Google DeepMind News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
腾讯CDC
Google Online Security Blog
Google Online Security Blog
博客园 - 【当耐特】
Apple Machine Learning Research
Apple Machine Learning Research
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
N
News and Events Feed by Topic
N
News and Events Feed by Topic
The Last Watchdog
The Last Watchdog
W
WeLiveSecurity
月光博客
月光博客
Security Archives - TechRepublic
Security Archives - TechRepublic
Webroot Blog
Webroot Blog
SecWiki News
SecWiki News
博客园_首页
罗磊的独立博客
量子位
Latest news
Latest news
I
Intezer
V
Vulnerabilities – Threatpost
A
Arctic Wolf
Last Week in AI
Last Week in AI
Recent Commits to openclaw:main
Recent Commits to openclaw:main
S
SegmentFault 最新的问题
S
Security Affairs
阮一峰的网络日志
阮一峰的网络日志
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
酷 壳 – CoolShell
酷 壳 – CoolShell
P
Palo Alto Networks Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
N
News | PayPal Newsroom

The Register - Software: Virtualization

NodeWeaver says its perpetual licensing beats VMware’s perpetual price hikes NodeWeaver: Perpetual licensing beats VMware nickel-and-dime Microsoft cuts cloudy desktop prices by 20 percent Nutanix to add KubeVirt support to run VM on K8s at the edge Western Union zaps VMware and moves to Nutanix Nutanix thinks some Azure cloud desktops belong on-prem Nutanix thinks some Azure cloud desktops belong on-prem Nutanix brings its K8s to bare metal Half of VMware users plan to reduce usage by 2028 Xen Project announces five years of support for all releases Xen Project announces five years of support for all releases Broadcom says AI companies can’t make their own silicon One vendor doesn't mind high RAM prices: VMware NUC, NUC! Who’s there? ASUS with a thin client for cloud PCs Why flexibility will define the future of functionality AWS adds nested virtualization option for handful for EC2 Cisco set to release hypervisor as VMware alternative Cisco set to release hypervisor as VMware alternative Contain your Windows apps inside Linux Windows VMware scores early win in Siemens software licensing case Broadcom 'bulldozes' VMware CSPs with March deadline Java devs want container security - not the hassle Microsoft to face questions over From SA program Dell wants £10m+ from VMware if Tesco case goes against it Lenovo has a hunch you’re about to try quitting VMware China crew abused ESXi zero-days a year before disclosure AWS adds hybrid cloud storage support for Nutanix Nutanix pushes sovereign cloud in another swipe at VMware Nutanix pushes sovereign cloud in another swipe at VMware VMware kills vSphere Foundation in parts of EMEA European cloud trade group says EU should have blocked VMware-Broadcom merger Researchers spot 700 percent increase in hypervisor attacks Researchers spot 700 percent increase in hypervisor attacks Proxmox delivers its software-defined datacenter contender Proxmox delivers its software-defined datacenter contender HPE positions Morpheus stack as alternative to VMware VMware re-states claim Siemens used unlicensed software VMware re-states claim Siemens used unlicensed software 70-hour work weeks no longer enough for Infosys founder Veeam bets on more VMware alternatives Veeam bets on more VMware alternatives Ford straps in as Xen Project drives toward automotive use Microsoft reveals new cloudy AI PC that’s not a Copilot+ PC VMware admits it over-specced storage servers for years Server virtualization market heats up to win VMware refugees Kubernetes overlords retire Ingress NGINX Broadcom creates a new Seal Of Approval for AI servers Broadcom creates a new Seal Of Approval for AI servers Rideshare giant dumps 200 cloudy Macs, saves $2.4 million IBM Cloud stops seeking new customers for its VMware service In Tesco vs. VMware, Computacenter warns, Dell, Broadcom VMware bungles cloud management portal upgrade, twice VMware bungles cloud management portal upgrade, twice Microsoft starts streaming cloudy apps instead of desktops Open source Cloud Hypervisor adds (futile) no-AI-code policy Proxmox delivers datacenter manager beta VMware to lose 35 percent of workloads in three years – some to its friends at ‘proper clouds’ VMware to lose 35 percent of workloads in three years Citrix products sold under old licenses to get glitchy Rethinking application delivery for the hybrid world VMware's in court again. Tesco latest in line Broadcom admits it’s sold a lot of VMware shelfware Supermarket giant Tesco sues VMware for breach of contract DOGE delayed deals, says Nutanix VirtualBox 7.2 fixes 3D guests, adds Arm-on-Arm support Cloudy PCs now often have lower TCO than laptops Platform9 pushes swing capacity workaround for VMware shifts Virtualization vet pushes out Proxmox VE 9, Backup Server 4 Oracle VirtualBox licensing tweak lies in wait for unwary EU cloud players want Europe to annul Broadcom’s VMWare buy How to host a Linux-powered local dev site in Windows VMware portal prevents some users from downloading patches VMware slows release cadence for flagship VCF suite Telefónica DE shifts VMware support to Spinnaker due to cost Citrix returns to hypervisor market without updating wares VMware’s rivals ramp efforts to create alternative stacks
China crew abused ESXi zero-days a year before disclosure
Carly Page Carly Page · 2026-01-09 · via The Register - Software: Virtualization

Virtualization

China-linked cybercrims abused VMware ESXi zero-days a year before disclosure

Huntress analysis suggests VM escape bugs were already weaponized in the wild

Chinese-linked cybercriminals were sitting on a working VMware ESXi hypervisor escape kit more than a year before the bugs it relied on were made public.

That's according to researchers at Huntress, who this week published a breakdown of an intrusion they observed in December 2025 in which a "sophisticated" toolkit was used to break out of virtual machines and target the ESXi hypervisor itself. The security firm says parts of the code point to development starting as early as February 2024 – a full year before VMware disclosed the bugs in March 2025.

The incident began in a very unglamorous way – with a compromised SonicWall VPN appliance. From there, the attackers were able to commandeer a Domain Admin account, pivot across the network, and eventually deploy a suite of tools that Huntress says exploited multiple flaws to escape a guest VM and reach the underlying ESXi hypervisor.

VM escape bugs are particularly serious because they break a promise virtualization is built on: that a hacked VM stays in its own box. In this case, the attackers appear to have stitched together ESXi-specific tricks that enabled them to jump the fence and execute code on the hypervisor itself.

Huntress's analysis of the binaries revealed development paths with simplified Chinese strings and folders labeled with Chinese text meaning "All version escape – delivery," hinting at the region and intent behind the work. What's more, the researchers say the code carried timestamps showing it was put together well before VMware acknowledged or fixed the vulnerabilities.

Those flaws – tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 – were flagged by VMware in March 2025 as critical and high-severity bugs that could be chained to compromise the hypervisor from a guest VM. At the time, the company warned it had "information to suggest that exploitation [of all three CVEs] has occurred in the wild."

While organizations scrambled to patch their ESXi hosts once the advisory dropped, Huntress's findings suggest at least some skilled actors were already weaponizing those issues long before IT teams were even aware they existed.

This wasn't just a smash-and-grab. Huntress says the attackers disabled VMware's own drivers, loaded unsigned kernel modules, and phoned home in ways designed to go unnoticed. The toolkit supported a wide range of ESXi versions, spanning over 150 builds, which would have let the attackers hit a broad swath of environments had they not been stopped, it added.

It's also not the first time attackers linked to China have been caught quietly abusing zero-days in widely used enterprise software, and campaigns like Volt Typhoon showed how China-linked attackers can sit quietly inside enterprise networks for months, keeping their heads down. In that case, too, most victims had no idea anything was wrong until well after the fact. ®