Web Shell to Ransomware: New VMware Attack Vector Exposed by Sygnia

Cybersecurity researchers at Sygnia have uncovered a new attack method that exploits recent VMware vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) to escape virtual machines (VMs), bypass security controls, and deploy ransomware at scale. The report describes how attackers leverage web server compromises to gain a foothold in corporate environments and escalate their access to VMware’s ESXi hypervisor, ultimately leading to network-wide ransomware infections.

While VM escape vulnerabilities are not a new phenomenon, their active exploitation in the wild is a game-changer. The Sygnia report emphasizes that “the active exploitation of these new VMware vulnerabilities shatters the false sense of security that previously surrounded this attack vector”.

The report outlines a simulated attack scenario that demonstrates the potential impact of these vulnerabilities. In this scenario, an attacker compromises a corporate web server, escalates privileges, and exploits VMware vulnerabilities to bypass network restrictions, gain vCenter access, and deploy ransomware. Although the scenario uses a web server as the initial compromise point, Sygnia warns that any exposed VM can serve as an entry point, including mail servers, VDI environments, and even security appliances. The only prerequisite is that the attacker gains administrative access to a virtualized system within the environment.

To illustrate the potential impact, Sygnia created a scenario involving a parcel delivery company with an on-premises infrastructure built primarily on Windows and VMware virtualization. The company utilizes a single large cluster for cost efficiency and high availability and has several security measures in place, including monthly patches, EDR solutions on all endpoints, a perimeter firewall, and SIEM for 24/7 security event monitoring. Additionally, externally vulnerable servers are placed in a DMZ with restricted connectivity to the internal network, and the web server powering parcel tracking resides in this DMZ behind a firewall and WAF protection module.

The report details the following steps in the attack scenario:

1. Initial Compromise: The attacker scans the company’s website for vulnerabilities and exploits an unprotected input field to deploy a web shell onto the system. Alternatively, they could exploit a known vulnerability in the web application or find an exposed SSH/RDP service with leaked credentials.
2. Escaping the Virtual Machine: The attacker, now inside the web server VM, discovers they lack direct network access to the internal environment. To bypass these restrictions, they exploit CVE-2025-22224, allowing them to execute code directly on the ESXi host and escape the virtualized environment.
3. Moving Laterally and Extracting Credentials: With code execution on the ESXi host, the attacker exploits CVE-2025-22225 to escalate privileges and gain kernel-level access. They can then access and manipulate other VMs on the same host. To further the attack, they exploit CVE-2025-22226 to dump memory from other VMs, extracting sensitive data like LSASS credentials and other unencrypted secrets.
4. Gaining Access to vCenter via SSH: The attacker leverages the stolen credentials to log into vCenter or additional ESXi hosts via SSH. This access allows them to further escalate their privileges within the virtualization environment.
5. Ransomware Deployment: With access to vCenter or direct control over ESXi hosts, the attacker executes the final stage: data exfiltration and ransomware deployment. This includes exfiltrating sensitive information for extortion, encrypting VM disk files, and deleting backups stored in vSphere Datastores.

The Sygnia report highlights the limited visibility that security teams would have during such an attack. Exploitation of VMware vulnerabilities to escape the compromised VM and execute code on the ESXi host bypasses network and identity security controls entirely, as the attacker is moving within the virtualization layer.

No security agents are typically deployed on ESXi hosts, meaning the exploitation would go undetected. Even with security controls and monitoring in place, organizations remain at risk due to gaps in prevention and detection capabilities.

Related Posts:

• Stealthy and Persistent: New Ransomware Tactics Target VMware ESXi
• Abyss Locker Ransomware: Inside the Stealthy Network Intrusions and Destructive Attacks
• VMware ESXi Vulnerability Exposes Thousands of Servers to Ransomware
• VmWare releases the patch to fix CPU vulnerabilities in VMware ESXi, Workstation and Fusion