Scworld
Chinese-speaking actors exploit VMware ESXi zero-days via SonicWall VPN breach
First seen 9 Jan 2026, 20:34 UTC
•
•49% similarity
•33.2
Share:
Export
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Browse articles
Chinese-speaking threat actors conducted attacks using a VMware ESXi exploit toolkit that leveraged three zero-day vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. The initial access was gained through a compromised SonicWall VPN, allowing attackers to pivot to domain controllers and execute the exploit chain. These vulnerabilities were disclosed in March 2025, but the attacks occurred last month.
ThreatCluster AI