Web Shell to Ransomware: New VMware Attack Vector Exposed by Sygnia
Summary:
Cybersecurity researchers at Sygnia have discovered a concerning attack method that exploits recent VMware vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226). This observed technique allows attackers to escape virtual machines, circumvent security controls, and deploy ransomware at scale. The attack begins using a compromised web server as an initial foothold, which is then used to escalate privileges to VMware's ESXi hypervisor. Once they gain access to the hypervisor, attackers can move laterally within the virtualization layer, extract sensitive credentials, gain access to vCenter, and ultimately deploy ransomware, encrypting VM disk files and exfiltrating data. The report highlights the severe impact of these vulnerabilities, emphasizing that they bypass traditional security measures and leave organizations vulnerable to network-wide ransomware attacks.
The report details the following hypothetical attack scenario involving a parcel delivery company with an on-premises infrastructure built primarily on Windows and VMware virtualization to illustrate the impact of these attacks:
The active exploitation of VMware vulnerabilities for VM escape is a significant issue for enterprise environments, many of which employ VMware’s services for business processes. Sygnia's report underscores the critical risk posed by these vulnerabilities, as they enable attackers to operate and evade standard security controls. The ability to bypass network restrictions and identity checks by moving within the virtualization layer effectively hides from security teams, who often lack visibility on ESXi hosts. This attack vector highlights a gap in current security architectures, where even robust defenses like EDR, firewalls, and SIEM can be rendered ineffective. The scenario presented by Sygnia, involving a parcel delivery company, serves as a stark reminder that any exposed VM, including web servers, mail servers, and VDI environments, can act as an initial infection point. A comprehensive security strategy that includes enhanced monitoring and defense at the hypervisor level is imperative for organizations. The reality that attackers can leverage these exploits to achieve wide-scale ransomware deployment should draw the attention of defenders.
Suggested Corrections:
Tactical and Strategic Recommendations from Sygnia can be found here.
General ESXi / Hypervisors Suggested Correctionss:
Network Isolation
When configuring networking on the ESXi hosts, only enable VMkernel network adapters on the isolated management network. VMkernel network adapters provide network connectivity for the ESXi hosts and handle necessary system traffic for functionality such as vSphere vMotion, vSAN, and vSphere replication. Ensure that all dependent technologies such as vSANs and backup systems that the virtualization infrastructure will use are available on this isolated network. If possible, use dedicated management systems exclusively connected to this isolated network to conduct all management tasks of the virtualization infrastructure.
Identity and Access Management
Consider decoupling ESXi and vCenter Servers from Active Directory and use vCenter Single Sign-On. Removing ESXi and vCenter from Active Directory will prevent any compromised Active Directory accounts from being able to be used to authenticate directly to the virtualization infrastructure. Ensure administrators use separate and dedicated accounts for managing and accessing the virtualized infrastructure. Enforce multi-factor authentication (MFA) for all management access to vCenter Server instances and store all administrative credentials in a Privileged Access Management (PAM) system.
Services Management
To further restrict services and management of ESXi hosts, implement lockdown mode. This ensures that ESXi hosts can only be accessed through a vCenter Server, disables some services, and restricts some services to certain defined users. Configure the built-in ESXi host firewall to restrict management access only from specific IP addresses or subnets that correlate to management systems on the isolated network. Determine the appropriate risk acceptance level for vSphere Installable Bundles (VIBs) and enforce acceptance levels in the Security Profiles for ESXi hosts. This protects the integrity of the hosts and ensures unsigned VIBs cannot be installed.
Log Management
Centralized logging of ESXi environments is critical, both to proactively detect potential malicious behavior and investigate an actual incident. Ensure all ESXi host and vCenter Server logs are being forwarded to the organization’s SIEM solution. This provides visibility into security events beyond that of normal administrative activity.
Link(s):
https://securityonline.info/web-shell-to-ransomware-new-vmware-attack-vector-exposed-by-sygnia/
https://www.sygnia.co/threat-reports-and-advisories/breaking-the-virtual-barrier-web-shell-to-ransomware/
Cybersecurity researchers at Sygnia have discovered a concerning attack method that exploits recent VMware vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226). This observed technique allows attackers to escape virtual machines, circumvent security controls, and deploy ransomware at scale. The attack begins using a compromised web server as an initial foothold, which is then used to escalate privileges to VMware's ESXi hypervisor. Once they gain access to the hypervisor, attackers can move laterally within the virtualization layer, extract sensitive credentials, gain access to vCenter, and ultimately deploy ransomware, encrypting VM disk files and exfiltrating data. The report highlights the severe impact of these vulnerabilities, emphasizing that they bypass traditional security measures and leave organizations vulnerable to network-wide ransomware attacks.
The report details the following hypothetical attack scenario involving a parcel delivery company with an on-premises infrastructure built primarily on Windows and VMware virtualization to illustrate the impact of these attacks:
- Initial Compromise: The attacker scans the company’s website for vulnerabilities and exploits an unprotected input field to deploy a web shell onto the system. Alternatively, they could exploit a known vulnerability in the web application or find an exposed SSH/RDP service with leaked credentials.
- Escaping the Virtual Machine: The attacker, now inside the web server VM, discovers they lack direct network access to the internal environment. To bypass these restrictions, they exploit CVE-2025-22224, allowing them to execute code directly on the ESXi host and escape the virtualized environment.
- Moving Laterally and Extracting Credentials: With code execution on the ESXi host, the attacker exploits CVE-2025-22225 to escalate privileges and gain kernel-level access. They can then access and manipulate other VMs on the same host. To further the attack, they exploit CVE-2025-22226 to dump memory from other VMs, extracting sensitive data like LSASS credentials and other unencrypted secrets.
- Gaining Access to vCenter via SSH: The attacker leverages the stolen credentials to log into vCenter or additional ESXi hosts via SSH. This access allows them to further escalate their privileges within the virtualization environment.
- Ransomware Deployment: With access to vCenter or direct control over ESXi hosts, the attacker executes the final stage: data exfiltration and ransomware deployment. This includes exfiltrating sensitive information for extortion, encrypting VM disk files, and deleting backups stored in vSphere Datastores.
The active exploitation of VMware vulnerabilities for VM escape is a significant issue for enterprise environments, many of which employ VMware’s services for business processes. Sygnia's report underscores the critical risk posed by these vulnerabilities, as they enable attackers to operate and evade standard security controls. The ability to bypass network restrictions and identity checks by moving within the virtualization layer effectively hides from security teams, who often lack visibility on ESXi hosts. This attack vector highlights a gap in current security architectures, where even robust defenses like EDR, firewalls, and SIEM can be rendered ineffective. The scenario presented by Sygnia, involving a parcel delivery company, serves as a stark reminder that any exposed VM, including web servers, mail servers, and VDI environments, can act as an initial infection point. A comprehensive security strategy that includes enhanced monitoring and defense at the hypervisor level is imperative for organizations. The reality that attackers can leverage these exploits to achieve wide-scale ransomware deployment should draw the attention of defenders.
Suggested Corrections:
Tactical and Strategic Recommendations from Sygnia can be found here.
General ESXi / Hypervisors Suggested Correctionss:
Network Isolation
When configuring networking on the ESXi hosts, only enable VMkernel network adapters on the isolated management network. VMkernel network adapters provide network connectivity for the ESXi hosts and handle necessary system traffic for functionality such as vSphere vMotion, vSAN, and vSphere replication. Ensure that all dependent technologies such as vSANs and backup systems that the virtualization infrastructure will use are available on this isolated network. If possible, use dedicated management systems exclusively connected to this isolated network to conduct all management tasks of the virtualization infrastructure.
Identity and Access Management
Consider decoupling ESXi and vCenter Servers from Active Directory and use vCenter Single Sign-On. Removing ESXi and vCenter from Active Directory will prevent any compromised Active Directory accounts from being able to be used to authenticate directly to the virtualization infrastructure. Ensure administrators use separate and dedicated accounts for managing and accessing the virtualized infrastructure. Enforce multi-factor authentication (MFA) for all management access to vCenter Server instances and store all administrative credentials in a Privileged Access Management (PAM) system.
Services Management
To further restrict services and management of ESXi hosts, implement lockdown mode. This ensures that ESXi hosts can only be accessed through a vCenter Server, disables some services, and restricts some services to certain defined users. Configure the built-in ESXi host firewall to restrict management access only from specific IP addresses or subnets that correlate to management systems on the isolated network. Determine the appropriate risk acceptance level for vSphere Installable Bundles (VIBs) and enforce acceptance levels in the Security Profiles for ESXi hosts. This protects the integrity of the hosts and ensures unsigned VIBs cannot be installed.
Log Management
Centralized logging of ESXi environments is critical, both to proactively detect potential malicious behavior and investigate an actual incident. Ensure all ESXi host and vCenter Server logs are being forwarded to the organization’s SIEM solution. This provides visibility into security events beyond that of normal administrative activity.
Link(s):
https://securityonline.info/web-shell-to-ransomware-new-vmware-attack-vector-exposed-by-sygnia/
https://www.sygnia.co/threat-reports-and-advisories/breaking-the-virtual-barrier-web-shell-to-ransomware/