Chinese-linked cybercriminals were sitting on a working VMware ESXi hypervisor escape kit more than a year before the bugs it relied on were made public.

That's according to researchers at Huntress, who this week published a breakdown of an intrusion they observed in December 2025 in which a "sophisticated" toolkit was used to break out of virtual machines and target the ESXi hypervisor itself. The security firm says parts of the code point to development starting as early as February 2024 – a full year before VMware disclosed the bugs in March 2025.

The incident began in a very unglamorous way – with a compromised SonicWall VPN appliance. From there, the attackers were able to commandeer a Domain Admin account, pivot across the network, and eventually deploy a suite of tools that Huntress says exploited multiple flaws to escape a guest VM and reach the underlying ESXi hypervisor.

VM escape bugs are particularly serious because they break a promise virtualization is built on: that a hacked VM stays in its own box. In this case, the attackers appear to have stitched together ESXi-specific tricks that enabled them to jump the fence and execute code on the hypervisor itself.

Huntress's analysis of the binaries revealed development paths with simplified Chinese strings and folders labeled with Chinese text meaning "All version escape – delivery," hinting at the region and intent behind the work. What's more, the researchers say the code carried timestamps showing it was put together well before VMware acknowledged or fixed the vulnerabilities.

Those flaws – tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 – were flagged by VMware in March 2025 as critical and high-severity bugs that could be chained to compromise the hypervisor from a guest VM. At the time, the company warned it had "information to suggest that exploitation [of all three CVEs] has occurred in the wild."

• Beijing-linked hackers are hammering max-severity React bug, AWS warns
• Spy turned startup CEO: 'The WannaCry of AI will happen'
• Apple, Google forced to issue emergency 0-day patches
• Attacks pummeling Cisco AsyncOS 0-day since late November

While organizations scrambled to patch their ESXi hosts once the advisory dropped, Huntress's findings suggest at least some skilled actors were already weaponizing those issues long before IT teams were even aware they existed.

This wasn't just a smash-and-grab. Huntress says the attackers disabled VMware's own drivers, loaded unsigned kernel modules, and phoned home in ways designed to go unnoticed. The toolkit supported a wide range of ESXi versions, spanning over 150 builds, which would have let the attackers hit a broad swath of environments had they not been stopped, it added.

It's also not the first time attackers linked to China have been caught quietly abusing zero-days in widely used enterprise software, and campaigns like Volt Typhoon showed how China-linked attackers can sit quietly inside enterprise networks for months, keeping their heads down. In that case, too, most victims had no idea anything was wrong until well after the fact. ®