Exploit for VMware Zero-Day Flaws Likely Built a Year Before Public Disclosure

A Chinese threat actor built an exploit for three VMware ESXi vulnerabilities that were patched in March 2025 over a year before public disclosure, cybersecurity firm Huntress reports.

The three bugs, tracked as CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226, and named ESXicape, allow privileged attackers to execute arbitrary code and escape the VM to compromise the hypervisor itself.

VMware owner Broadcom warned last year that the three flaws had been exploited in the wild as zero-days, but did not share information on the attacks.

Now, Huntress says a threat actor has attempted to exploit the VMware ESXi vulnerabilities in December 2025, in an attack likely involving ransomware.

Initial access to the targeted environment, Huntress says, was obtained through a compromised SonicWall VPN instance.

The hackers then abused a Domain Admin (DA) account to access the primary domain controller and then deployed the ESXi exploit toolkit.

As part of the attack, the hackers ...