www.bleepingcomputer.com/news/secu…
Chinese-speaking threat actors used a compromised SonicWall VPN appliance to deliver a VMware ESXi exploit toolkit that appears to have been developed more than a year before the targeted vulnerabilities were publicly disclosed.
In attacks observed in December 2025 and analysed by managed security firm Huntress, the attackers used a sophisticated virtual machine escape technique that likely exploited three VMware vulnerabilities disclosed as zero-days in March 2025.
Huntress told BleepingComputer it is moderately confident that the exploit toolkit leverages the three vulnerabilities disclosed by Broadcom last March. This assessment is based on the exploit’s behaviour, including the use of HGFS for information leakage, VMCI for memory corruption, and shellcode that escapes into the kernel. However, the firm noted it could not confirm with absolute certainty that the activity matches the exploitation described in Broadcom’s original bulletin on the three zero-days.
