ESXiArgs Ransomware Exploited Unpatched VMware ESXi Servers Worldwide
A large-scale ESXiArgs ransomware campaign hit internet-exposed VMware ESXi servers by exploiting a long-known vulnerability in the OpenSLP service, with incident responders and national authorities warning that many affected systems had not applied available patches. CERT-FR issued an alert on active exploitation affecting VMware ESXi, while broad reporting described widespread compromises across organizations globally as attackers encrypted virtual machine files and dropped ransom notes on hypervisors.
VMware said the attacks did not stem from a newly discovered zero-day, but from exploitation of older, already patched weaknesses and insecurely exposed services on unsupported or unpatched ESXi versions. The incident renewed scrutiny of VMware security after earlier warnings that threat actors, including state-backed operators, had abused VMware flaws such as CVE-2020-4006 for initial access, persistence, and privileged movement inside enterprise environments, underscoring the risk posed by internet-facing virtualization infrastructure that lags on patching and hardening.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Report says three VMware ESXi zero-days were chained before disclosure
SC Media reported that a trio of VMware ESXi zero-day vulnerabilities had been chained in attacks long before they were publicly disclosed. The report introduced a later attribution and technical-development update to the broader ESXi exploitation story.
VMware publishes response to ESXiArgs ransomware attacks
VMware Security Response Center issued an official response to the ESXiArgs attacks, providing guidance and context on the ransomware activity affecting ESXi servers. This marked VMware's public response following the widespread exploitation reports.
Mass exploitation campaign targets unpatched VMware ESXi servers
CERT-FR and BleepingComputer reported a large-scale campaign exploiting a VMware ESXi vulnerability to compromise exposed, unpatched servers worldwide. The activity was associated with the ESXiArgs ransomware attacks.
NSA warns Russian state hackers are exploiting CVE-2020-4006
The NSA disclosed that Russian state-sponsored attackers were actively exploiting CVE-2020-4006 to compromise VMware systems, install web shells, and pivot into Active Directory and ADFS environments. The advisory described the activity as affecting multiple victims.
VMware patches CVE-2020-4006 after NSA notification
VMware released a fix for CVE-2020-4006, a command-injection flaw in VMware products, after being notified by the NSA. Ars Technica reports the patch was issued the Thursday before 2020-12-07.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Trio of VMware ESXi zero-days chained long before disclosure | brief | SC Media
scworld.com
Open sourceVMware Security Response Center (vSRC) Response to 'ESXiArgs' Ransomware Attacks - VMware Security Blog - VMware
blogs.vmware.com
Open source[MàJ] Campagne d'exploitation d'une vulnérabilité affectant VMware ESXi - CERT-FR
cert.ssi.gouv.fr
Open sourceMassive ESXiArgs ransomware attack targets VMware ESXi servers worldwide
bleepingcomputer.com
Open sourceNSA says Russian state hackers are using a VMware flaw to ransack networks - Ars Technica
arstechnica.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Flags VMware ESXi CVE-2025-22225 as Exploited in Ransomware Campaigns
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) updated its Known Exploited Vulnerabilities (**KEV**) catalog to indicate that **CVE-2025-22225**, a high-severity VMware ESXi *VMX sandbox escape* flaw, is now **known to be used in ransomware campaigns**. Broadcom patched the issue in March 2025 as part of advisory `VMSA-2025-0004`, describing CVE-2025-22225 as an **arbitrary kernel write** reachable by an attacker with privileges in the `VMX` process, enabling escape from the VMX sandbox to the ESXi kernel. The same advisory also addressed two other zero-days—**CVE-2025-22224** (TOCTOU leading to out-of-bounds write/code execution as the VMX process) and **CVE-2025-22226** (HGFS out-of-bounds read/memory disclosure)—which Broadcom previously tagged as actively exploited in the wild. Reporting also tied the ESXi exploitation to earlier sophisticated activity: Huntress described Chinese-speaking threat actors leveraging access via a compromised SonicWall VPN to deliver tooling targeting VMware ESXi and chaining a VM escape technique that appeared to predate public disclosure of the March 2025 ESXi zero-days. Separately, GreyNoise research highlighted a broader KEV-catalog visibility gap, finding that CISA **quietly “flipped”** dozens of KEV entries during 2025 from “Unknown” to “Known” for ransomware use without prominent public notification—an approach that can materially affect enterprise prioritization when a vulnerability’s status changes to confirmed ransomware exploitation.
Mar 21, 2026
Kyber ransomware hit Windows and ESXi in coordinated cross-platform attacks
Rapid7 reported that a **Kyber ransomware** affiliate deployed two distinct payloads in the same March 2026 intrusion, targeting both **VMware ESXi** infrastructure and **Windows file servers** to maximize operational disruption. The ESXi variant encrypted VMware datastore files, could optionally terminate virtual machines, and defaced SSH and web management interfaces with ransom notes. The Windows variant targeted core file systems and added broader impact features, including killing backup-, database-, and IIS-related services, deleting shadow copies, disabling recovery options, clearing event logs, and testing an experimental **Hyper-V** shutdown capability. The two samples shared the same campaign ID and **Tor-based** negotiation and leak infrastructure, linking them to the same affiliate, but their internals differed sharply. Rapid7 found the ESXi payload falsely advertised post-quantum protection with `Kyber1024`; in practice, it used **ChaCha8** with **RSA-4096** key wrapping. By contrast, the Windows variant, written in **Rust**, appeared to implement the claimed hybrid scheme using **AES-256-CTR**, `Kyber1024`, and **X25519**. Public reporting indicates the group remains relatively new, with limited prior technical analysis and only one victim publicly listed on its extortion site: a large U.S. defense contractor and IT services provider.
Apr 27, 2026
Surge in Ransomware Attacks Targeting Hypervisors, Led by Akira Group
Security researchers have reported a dramatic increase in ransomware attacks targeting hypervisors, with Huntress data showing that the proportion of ransomware incidents involving hypervisors jumped from 3% in the first half of 2025 to 25% in the second half. The Akira ransomware group has been identified as the primary actor behind this trend, exploiting the limited visibility and security controls typically present on hypervisors to bypass traditional endpoint and network defenses. Attackers are leveraging built-in tools such as OpenSSL to encrypt virtual machine volumes directly from the hypervisor, allowing them to impact dozens or hundreds of VMs simultaneously and avoid detection by endpoint security solutions. This shift in tactics underscores the critical need for organizations to harden their hypervisor infrastructure with the same rigor as endpoints and servers. Security experts recommend measures such as patching, strict access control, runtime hardening, and robust backup and recovery strategies to mitigate the risk. The trend highlights that as defenders improve endpoint security, adversaries are increasingly targeting the foundational layers of virtualized environments, making hypervisor security a top priority for organizations relying on virtualization technologies like ESXi.
Mar 21, 2026