A cybersecurity incident involving Chinese-speaking threat actors has been linked to a compromised SonicWall VPN appliance, which served as a gateway for deploying a VMware ESXi exploit. This activity, observed by Huntress in December 2025, was halted before it could escalate into a ransomware attack.
Three significant vulnerabilities were exploited during this incident, specifically CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1). These were publicly disclosed by Broadcom in March 2025 and subsequently added to the Known Exploited Vulnerabilities catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Research indicates that the toolkit utilized in the attack was likely developed over a year before the public disclosure of the vulnerabilities. It features several components, including "exploit.exe," which orchestrates the virtual machine escape. The exploit's design suggests a sophisticated developer group, potentially operating from a Chinese-speaking region, with evidence of Chinese language strings present in the toolkit's paths.