Show threadKevin BeaumontMay 14, 2025

Reupping this thread - remember to patch both #ESXicape and CVE-2025-22230 in VMware Tools.

The four vulns chained together allow full hypervisor escape from a Windows VM, without needing admin rights, gaining full SAN storage access to all VMs from one host - including to backups.

I understand technical exploitation details for this will start to emerge in public late next week, which will enable more groups to jump on the bandwagon. Currently limited to a ransomware group.

#threatintel

Show threadKevin BeaumontMar 25, 2025

A new twist on #ESXicape - you need local admin rights to escape the VM to the hypervisor, right?

Slight issue - VMware Tools, installed inside VMs, allows local user to local admin privilege escalation on every VM due to vuln CVE-2025-22230

“A malicious actor with non-administrative privileges on a Windows guest VM may gain ability to perform certain high-privilege operations within that VM.”

Discovered by Positive Technologies, who US claim hack for Moscow.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25518

Support Content Notification - Support Portal - Broadcom support portal

Support Portal
Dan SneddonMar 9, 2025
If you needed one more reason to move away from VMware, the #ESXicape vulnerability is bad, really bad. It's made worse by a fundamentally insecure design, where all access is granted to an actor from within the management network. VMware is a black box, while OpenStack, OpenShift, Kubernetes, and KVM/QEMU are open source. Give me libre or give me death.
https://doublepulsar.com/use-one-virtual-machine-to-own-them-all-active-exploitation-of-esxicape-0091ccc5bdfc
Use one Virtual Machine to own them all — active exploitation of VMware ESX hypervisor escape ESXicape

Yesterday, VMware quietly released patches for three ESXi zero day vulnerabilities: CVE-2025–22224, CVE-2025–22225, CVE-2025–22226. Although the advisory doesn’t explicitly say it, this is a…

DoublePulsar
Show threadKevin BeaumontMar 9, 2025
Both VMware and Microsoft have declined to comment about #ESXicape, when asked about number of victims and who has the exploit.
Patrick TerlistenMar 6, 2025

Use one Virtual Machine to own them all — active exploitation of VMware ESX hypervisor escape #ESXicape

https://doublepulsar.com/use-one-virtual-machine-to-own-them-all-active-exploitation-of-esxicape-0091ccc5bdfc?gi=2ceb8aa7cc8e

Use one Virtual Machine to own them all — active exploitation of VMware ESX hypervisor escape ESXicape

Yesterday, VMware quietly released patches for three ESXi zero day vulnerabilities: CVE-2025–22224, CVE-2025–22225, CVE-2025–22226. Although the advisory doesn’t explicitly say it, this is a…

DoublePulsar
Show threadKevin BeaumontMar 5, 2025

Does anybody know anybody at VMware Security who could have a look at the #ESXicape knowledge base article please?

It's missing 6.5 and 6.7, which are definitely vulnerable and have patches available on Broadcom's site. They're also listed in the VMware Github advisory, but have been missed off the support site. It's causing people to not patch.

Show threadKevin BeaumontMar 5, 2025

I wrote up everything I know about #ESXicape https://doublepulsar.com/use-one-virtual-machine-to-own-them-all-active-exploitation-of-esxicape-0091ccc5bdfc

#threatintel

Use one Virtual Machine to own them all — active exploitation of VMware ESX hypervisor escape ESXicape

Yesterday, VMware quietly released patches for three ESXi zero day vulnerabilities: CVE-2025–22224, CVE-2025–22225, CVE-2025–22226. Although the advisory doesn’t explicitly say it, this is a…

DoublePulsar
Show threadKevin BeaumontMar 4, 2025

Quick mspaint.exe diagram on this, calling it ESXicape

- Have access to something like a Windows 11 Virtual Desktop system in VMware, or a Linux box or some such?

- Use ESXicape, a chain of three zero days, to gain access to the ESXi Hypervisor.

- Use that to access every other VM, and be on the management network of VMware cluster

One you have this level of access, traditionally you'll see groups like ransomware actors steal files and wipe things. #ESXicape