MITRE ATT&CK
An old idea that still holds true: Fight the enemy where they aren’t. Threat actors take this advice to heart by avoiding Endpoint Detection and Response solutions and targeting systems that do not generally support EDR such as VMware ESXi hosts.
May 8, 2025 at 12:33pmWeb
Show threadMITRE ATT&CKMay 8, 2025

We’re currently reading Google’s reporting on VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/

One of the big updates for ATT&CK v17 was the new platform ESXi which reflects the rise in attacks on virtualization infrastructure. The technique we’re spotlighting today is new to ATT&CK: T1675 ESXi Administration Command https://attack.mitre.org/techniques/T1675/

VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors | Mandiant | Google Cloud Blog

Google Cloud Blog
Show threadMITRE ATT&CKMay 8, 2025

T1675 describes activity in which an adversary abuses ESXi admin services to execute commands on guest machines.

Google’s reporting details the threat actor UNC3886, Chinese cyber espionage group, using a zero-day vulnerability that enabled the execution of privileged commands across guest virtual machines without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs.

Read up on Google’s reporting: https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/

VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors | Mandiant | Google Cloud Blog

Google Cloud Blog
Show threadMITRE ATT&CKMay 8, 2025

And make sure to check out the ESXi material on ATT&CK including T1675 https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/

And see the entire v17 release for more information https://medium.com/mitre-attack/attack-v17-dfb59eae2204

VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors | Mandiant | Google Cloud Blog

Google Cloud Blog