What happened?
In December 2025, Huntress researchers uncovered a sophisticated attack campaign targeting VMware ESXi hypervisors, revealing a threat actor had developed and weaponised exploits for three critical vulnerabilities well before their public disclosure and patching in March 2025. Forensic analysis of the toolkit revealed timestamps dating back to February 2024 - over a year before VMware’s public disclosure.
The vulnerabilities - collectively referred to as "ESXicape" - allow attackers to escape the confines of a virtual machine (VM) and compromise the underlying hypervisor; the core of the attack was the deployment of a zero-day exploit toolkit which chained three ESXi vulnerabilities to achieve VM escape:
- CVE-2025-22226 - an out-of-bounds read in HGFS, leaking memory from the VMX process and disclosing the base address needed for further exploitation.
- CVE-2025-22224 - a vulnerability in VMCI, allowing arbitrary code execution as the VMX process and escalating privileges.
- CVE-2025-22225 - an arbitrary write vulnerability enabling escape from the VMX sandbox to the kernel, ultimately compromising the host system.
Once escaping the VM, the attackers deployed a sophisticated backdoor called "VSOCKpuppet" that leverages VSOCK for covert guest-to-host communication, making traffic invisible to standard network monitoring tools.
Analysis also identified development artefacts in simplified Chinese, suggesting a developer likely operating in a Chinese-speaking region. The toolkit’s English documentation and modular design, however, indicate it may have been intended for sale or distribution to a broader audience.
So what?
VM escape vulnerabilities pose a significant threat - once a guest VM is compromised, attackers can potentially control the entire host and all its workloads. The attackers used methods designed to evade detection, making it harder for defenders to spot and respond to such intrusions using traditional security tools.
This incident also emphasises the importance of basic security hygiene; despite the sophistication of the VM escape exploit, attackers gained initial access through a common and preventable entry point - a compromised SonicWall VPN appliance. Once inside, the attackers exploited the lack of robust monitoring and network segmentation to move laterally and deploy their toolkit.
The broad compatibility of the toolkit means that many organisations remain exposed, especially those running unsupported or end-of-life ESXi versions; at the time of writing, the Shadowserver Foundation reports that approximately 30,000 internet-exposed ESXi instances could be vulnerable to CVE-2025-22224 alone.
What should I do?
As hypervisors become a more attractive target for attackers, organisations should treat virtualisation security as an urgent priority - immediate patching and robust access controls are essential to mitigate these risks and protect critical infrastructure alongside traditional network defences.
Patch aggressively: VMware ESXi 7.0 and 8.0 should be patched as a priority, and end-of-life versions (6.x and earlier) should be retired, as they are no longer protected.
Secure remote access: ensure strong authentication and access controls are in place, and limit any exposure of management interfaces to the internet. Regularly audit and update VPN appliances and remote access solutions.
Review network segmentation and access controls: implement least privilege principles for user and service accounts, as this will mitigate potential lateral movement opportunities by restricting access to critical infrastructure.
Harden virtualisation infrastructure: VMware’s hardening guides detail best practices for securing ESXi hosts. Consider additional monitoring for suspicious activity, such as for the creation of unusual processes or modification of firewall rules.