Chinese-speaking actors exploit VMware ESXi zero-days via SonicWall VPN breach

Chinese-speaking actors exploit VMware ESXi zero-days via SonicWall VPN breach

First seen 9 Jan 2026, 20:34 UTC Scworld 49% similarity 33.2

Article Content

Browse articles
ThreatCluster

Chinese-speaking threat actors conducted attacks using a VMware ESXi exploit toolkit that leveraged three zero-day vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. The initial access was gained through a compromised SonicWall VPN, allowing attackers to pivot to domain controllers and execute the exploit chain. These vulnerabilities were disclosed in March 2025, but the attacks occurred last month.

ThreatCluster AI

Community

Browse all →