Chinese-speaking threat groups exploited a compromised SonicWall VPN to deploy a VMware ESXi zero-day exploit, potentially leading to a hypervisor compromise and a ransomware attack. The sophisticated multi-stage attack used multiple vulnerabilities and advanced evasion techniques, highlighting the importance of securing VPNs and hypervisors. #SonicWallVPN #VMwareESXi #ZeroDayExploit
Keypoints
- Threat actors exploited three VMware CVEs detected as zero-days by Broadcom in March 2025.
- The attack involved a multi-stage toolkit that facilitated VM escape and hypervisor control.
- Chinese language strings in the toolkit suggest the developer may be operating from a Chinese-speaking region.
- Use of VSOCK protocol and custom backdoor (“VSOCKpuppet”) enabled stealthy, persistent access to ESXi hosts.
- The attack demonstrates the danger of unpatched hypervisor vulnerabilities and the need for prompt security updates.
Read More: https://thehackernews.com/2026/01/chinese-linked-hackers-exploit-vmware.html