High-Severity Privilege Escalation Flaw Patched in VMware Fusion A critical privilege escalation vulnerability (CVE-2026-41702) was discovered in VMware Fusion, Broadcom’s macOS virtualization software, allowing local attackers to gain root-level access on affected systems. The flaw, a TOCTOU (Time-of-Check Time-of-Use) race condition in a SETUID binary, was privately reported to Broadcom and patched on May 14, 2026, under security advisory VMSA-2026-0003. The vulnerability affects VMware Fusion version 25H2 on macOS and can be exploited by a local attacker with standard user privileges no admin rights or remote access are required. Successful exploitation could lead to full system compromise, particularly in shared environments, development workstations, or enterprise endpoints. Broadcom confirmed no workarounds exist, making the patch the only remediation. Users must upgrade to VMware Fusion 26H1 to mitigate the risk. The flaw was responsibly disclosed by security researcher Mathieu Farrell (@coiffeur0x90). TOCTOU vulnerabilities are a known attack vector for local privilege escalation, underscoring the urgency of applying the update to close this root-level access path.

Storm-1175: China-Based Cybercrime Group Exploits Zero-Days in High-Speed Ransomware Attacks Microsoft has identified Storm-1175, a financially motivated cybercriminal group based in China, as the force behind a series of high-velocity ransomware attacks leveraging zero-day and n-day exploits. The group, known for deploying Medusa ransomware, rapidly weaponizes newly disclosed vulnerabilities sometimes within 24 hours of discovery and, in some cases, a week before patches are released. Storm-1175’s attacks follow a streamlined playbook: initial access via unpatched flaws, followed by credential theft, security tool disablement, and ransomware deployment often within days. The group has targeted organizations in healthcare, education, professional services, and finance, with significant impacts in the U.S., U.K., and Australia. Recent campaigns have exploited over 16 vulnerabilities across 10 software products, including: - Microsoft Exchange (CVE-2023-21529) - PaperCut (CVE-2023-27351, CVE-2023-27350) - Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887) - ConnectWise ScreenConnect (CVE-2024-1709, CVE-2024-1708) - JetBrains TeamCity (CVE-2024-27198, CVE-2024-27199) - SmarterMail (CVE-2026-23760, CVE-2025-52691) - GoAnywhere MFT (CVE-2025-10035) In October 2024, Microsoft reported Storm-1175 exploiting CVE-2025-10035 (GoAnywhere MFT) before a patch was available. The group has also chained exploits to create persistence, deploy remote monitoring tools, and exfiltrate data before encrypting systems. A March 2025 advisory from CISA, the FBI, and MS-ISAC warned that Medusa ransomware attacks had compromised over 300 U.S. critical infrastructure organizations. Microsoft previously linked Storm-1175 to Black Basta and Akira ransomware campaigns exploiting a VMware ESXi flaw in July 2024. The group’s rapid exploitation of zero-days suggests either advanced in-house capabilities or access to exploit brokers, though many attacks still rely on known (n-day) vulnerabilities. Their tactics highlight the growing threat of high-speed, financially driven cybercrime operations.

Critical VMware Aria Operations Vulnerability Exploited in the Wild, Added to CISA KEV Catalog A severe command injection vulnerability in VMware Aria Operations an IT operations management platform for data centers and cloud environments has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation emerged. The flaw, tracked as CVE-2026-22719, allows unauthenticated attackers to execute arbitrary commands on affected systems, leading to remote code execution (RCE). Exploitation occurs during support-assisted product migrations, posing a high risk to organizations using the platform. Successful attacks could grant threat actors unauthorized system access, command execution, and potential full infrastructure compromise. Broadcom, VMware’s parent company, released a security advisory detailing the issue, which stems from a CWE-77 (Command Injection) weakness. While the CVSS score remains unassigned, CISA’s inclusion of the vulnerability in the KEV catalog confirms its severity. The agency has not disclosed whether the flaw has been leveraged in ransomware attacks or identified specific threat actors behind the exploitation. Under CISA’s Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate the vulnerability by March 24, 2026, either by applying patches or discontinuing use of the product if mitigations are unavailable. Private sector organizations are also urged to prioritize fixes, following Broadcom’s official guidance. The vulnerability was initially reported to Broadcom, which released patches and workarounds. However, the confirmation of in-the-wild exploitation underscores the urgency for affected users to act. VMware Aria Operations, formerly known as vRealize Operations (vROps), is widely deployed for monitoring, management, and optimization of hybrid and multi-cloud environments.

Cyber Retaliation Likely as U.S.-Israeli Strikes Trigger Iranian Digital Disruptions On March 1, 2026, a series of cyber operations unfolded alongside joint U.S.-Israeli airstrikes targeting Iran, signaling potential escalation in digital warfare. Cybersecurity experts reported multiple breaches, including the hack of BadeSaba, a widely used Iranian religious app with over 5 million downloads. The app displayed messages urging armed forces to disarm and join civilians, while other compromised news websites broadcast similar calls for accountability. Internet connectivity in Iran experienced sharp drops at 0706 GMT and 1147 GMT, according to Doug Madory of Kentik, with only minimal service remaining. The Jerusalem Post reported cyberattacks on Iranian government and military systems, though Reuters could not independently verify these claims. Security researchers noted the strategic targeting of BadeSaba, as its user base primarily religious and pro-government made it a high-impact platform for psychological operations. Cybersecurity firms warned of impending retaliation, with Sophos’ Rafe Pilling highlighting potential tactics, including amplified data breaches, unsophisticated industrial system compromises, and direct offensive cyber operations. Pro-Iranian hacktivist groups, known for past hack-and-leak campaigns, ransomware, and DDoS attacks, have already issued calls to action, per Halcyon’s Cynthia Kaiser. CrowdStrike observed reconnaissance and DDoS activity from Iranian-aligned actors, while Anomali reported state-backed Iranian groups deploying "wiper" attacks against Israeli targets ahead of the strikes. Despite Iran’s reputation as a cyber threat alongside Russia and China, its past responses to physical attacks have been limited. Following U.S. strikes on Iranian nuclear sites in June, cyber retaliation was minimal, with only a brief disruption in Albania’s capital, Tirana. However, the current escalation suggests a shift toward more aggressive digital countermeasures.

Nitrogen Ransomware Bug Destroys Encryption Keys, Leaving Victims and Attackers Empty-Handed A coding error in a ransomware variant linked to the Nitrogen group has rendered encrypted data permanently unrecoverable, undermining the attackers’ ability to extort victims. The flaw affects Nitrogen’s VMware ESXi ransomware strain, which targets hypervisors critical servers hosting virtual machines (VMs). While hypervisors are often overlooked in security policies, this attack highlights their vulnerability when left unprotected. The bug occurs during encryption, where 8 bytes (64 bits) of the public key are overwritten with zeros, breaking the key pair. Without a valid public key, the corresponding private key required for decryption cannot be derived, making recovery impossible. Security firm Veeam identified the issue as an off-by-one error, a common programming mistake. Since no decryption is possible, victims have no incentive to pay the ransom. Their only recourse is restoring from backups or facing permanent data loss. The Nitrogen campaign, active since 2023, has previously targeted North American financial institutions, industrial firms, and game developers, including Red Barrels, the studio behind Outlast. The incident serves as a rare case of mutually assured destruction in cybercrime, where a developer’s oversight neutralizes the attackers’ leverage and leaves victims with no viable path to recovery.

Cybersecurity Alert: Chinese-Speaking Threat Actors Exploit SonicWall VPN to Target VMware ESXi Systems In December 2025, cybersecurity firm Huntress uncovered a sophisticated attack campaign by suspected Chinese-speaking threat actors, who exploited vulnerabilities in SonicWall VPN appliances to gain initial access to targeted networks. The attackers leveraged these compromised VPNs as an entry point, demonstrating a calculated effort to bypass security controls. The operation extended beyond initial access, with evidence suggesting the threat actors had been developing exploits for VMware ESXi systems as early as February 2024. This prolonged preparation underscores the attackers’ methodical approach and technical sophistication. Huntress intervened before the intrusion could escalate into a full ransomware deployment, highlighting the critical role of real-time threat detection in mitigating advanced cyber threats. The incident serves as a reminder of the persistent risks posed by well-resourced adversaries, particularly those targeting enterprise infrastructure.

RansomHouse Upgrades Encryption Tactics, Escalating Threats to Enterprises Researchers from Palo Alto Networks’ Unit 42 have uncovered a significant evolution in the RansomHouse ransomware-as-a-service (RaaS) operation, introducing a multi-layered, dual-key encryption model that heightens recovery challenges for targeted organizations. The updated encryptor, dubbed "Mario," replaces the group’s previous linear encryption approach with a complex, multi-phase process that complicates decryption and key recovery efforts. The new encryption scheme generates a 32-byte primary key and an 8-byte secondary key, executing interlocking encryption passes that make data recovery nearly impossible without paying the ransom. This shift tracked under the name Jolly Scorpius specifically targets VMware ESXi hosts, encrypting files with the extension .e.mario and leaving ransom notes demanding payment. The attack chain also leverages MrAgent, a deployment and persistence utility, to impair operational continuity and recovery. RansomHouse operates under a modular RaaS model, separating tool developers and leak managers from affiliates who deploy the ransomware. This structure enables rapid scaling and adaptation, even as individual affiliates are disrupted. The group employs a double-extortion tactic, exfiltrating sensitive data before encryption and threatening public disclosure to pressure victims into compliance. Unit 42’s analysis highlights the group’s growing sophistication, with at least 123 victims listed on its leak site across sectors including healthcare, finance, transportation, and government. The updated encryption not only complicates incident response but also extends recovery timelines, forcing security teams to reassess negotiation strategies. Indicators of compromise (IoCs), including file hashes, extensions, and ransom note artifacts, have been published to aid enterprises in proactively hunting for related activity in affected environments. The disclosure underscores the limitations of static signature-based detection, emphasizing the need for behavioral analytics, real-time monitoring, and hardened segmentation to counter evolving ransomware threats.

Threat Actors Weaponize QEMU as Covert Backdoor for Ransomware and Credential Theft Cybercriminals are increasingly abusing QEMU, a legitimate open-source virtualization tool, to bypass endpoint security and deploy ransomware or steal credentials undetected. By running malicious operations inside hidden virtual machines (VMs), attackers exploit a critical blind spot security tools on the host system cannot inspect activity within the VM, leaving minimal forensic traces. Sophos researchers have identified two active campaigns leveraging this technique since late 2025: 1. STAC4713 (November 2025) – Linked to the PayoutsKing ransomware group (GOLD ENCOUNTER), which operates independently (not as a ransomware-as-a-service). The group targets VMware and ESXi hypervisors, using QEMU to execute attacks. The infection chain begins with a scheduled task ("TPMProfiler") running QEMU under the SYSTEM account, booting from a disguised virtual disk (initially vault.db, later bisrv.dll). The VM establishes a reverse SSH tunnel via custom ports (32567, 22022) to port 22, creating a persistent backdoor. Tools inside the VM include AdaptixC2, Linker2, and a WireGuard obfuscator (wg-obfuscator). 2. STAC3725 (February 2026) – Exploits the CitrixBleed2 vulnerability (CVE-2025-5777) for initial access, then deploys a malicious ScreenConnect client for persistence. Attackers manually compile a toolkit inside the QEMU VM, including Impacket, KrbRelayX, BloodHound.py, NetExec, and Metasploit, to harvest credentials, enumerate Active Directory, and stage payloads via FTP. Both campaigns demonstrate a growing trend of virtualization-based evasion, where trusted tools like QEMU are repurposed to conceal malicious activity. The technique’s stealth and lack of detectable artifacts make it particularly challenging for defenders to identify and mitigate in real time.

Scattered Spider, a cybercriminal group, has recently targeted VMware ESXi hypervisors, encrypting entire virtual machine infrastructures using DragonForce ransomware. This attack cripples critical infrastructure, rendering virtual machines inoperable. The group gained initial access through sophisticated social engineering tactics, escalated privileges to gain administrative control, and deployed remote monitoring tools before executing the ransomware. The attack has led to significant financial damages and operational disruptions.

Hackers are exploiting the legitimate employee monitoring tool Kickidler to obtain login credentials and deploy ransomware encryptors. The attack begins with a poisoned ad on the Google Ads network, leading to a trojanized version of RVTools. This version deploys a backdoor called SMOKEDHAM, which is then used to install Kickidler. The tool is specifically used to target enterprise administrators and their login credentials. The goal is to infiltrate the network and deploy the encryptor. The payloads targeted VMware ESXi infrastructure, encrypting VMDK virtual hard drives. The groups Qilin and Hunters International are focused on cloud backups but have faced challenges due to defenders decoupling backup system authentication from Windows domains.

VMware has announced a critical security issue VMSA-2025-0006, a high-severity vulnerability affecting Aria Operations. This vulnerability, CVE-2025-22231, enables attackers with local access to escalate privileges to root level, potentially resulting in full system control. This may lead to unauthorized data access, service disruptions, or further network compromise. Important to note is that exploitation requires existing local administrative access. Targeted systems include VMware Aria Operations, Cloud Foundation, and Telco Cloud platforms. While patches are available, unpatched systems are still at risk. The flaw’s discovery was credited to researchers from MoyunSec Vlab.

Chinese-aligned threat group UNC5221 deployed the BRICKSTORM backdoor on VMware vCenter and ESXi hosts, targeting US legal, tech, and SaaS firms since at least March 2025. The attack exploited zero-day vulnerabilities in network appliances to gain initial access, followed by privilege escalation (MFA bypass, credential harvesting, VM cloning) and lateral movement via stolen credentials. The primary objective was email exfiltration from high-value targets, including key executives, with evidence of file theft from compromised mailboxes. The backdoor established persistence through systemd/rc.local modifications, ensuring survival across reboots, while communicating with a hardcoded C2 server via WebSockets. The 393-day average dwell time allowed deep infiltration, with attackers leveraging Microsoft Entra ID Enterprise Applications to access sensitive emails. Though no ransomware or direct financial fraud was reported, the breach compromised intellectual property, strategic communications, and potentially client-confidential data, posing long-term risks to corporate espionage, supply-chain attacks, and zero-day development by state-backed actors. VMware’s role as a critical infrastructure provider amplifies the impact, as compromised vCenter servers could enable downstream attacks on customer environments. The sophistication of the campaign—including in-memory servlet injections and automated secret-stealer tools—suggests a nation-state-level operation with implications beyond immediate data theft.

Ransomware Gangs Exploit Critical VMware ESXi Sandbox Escape Flaw The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed this week that ransomware groups are actively exploiting CVE-2025-22225, a high-severity VMware ESXi sandbox escape vulnerability. The flaw, patched by Broadcom in March 2025, allows attackers with privileged access to the VMX process to execute arbitrary kernel writes, enabling sandbox escapes. Broadcom addressed CVE-2025-22225 alongside two other actively exploited zero-days CVE-2025-22226 (memory leak) and CVE-2025-22224 (TOCTOU flaw) affecting VMware ESXi, Fusion, Cloud Foundation, vSphere, Workstation, and Telco Cloud Platform. Attackers with admin or root access could chain these vulnerabilities to bypass virtual machine isolation. Cybersecurity firm Huntress reported last month that Chinese-speaking threat actors had likely exploited these flaws in sophisticated zero-day attacks since at least February 2024. CISA first added CVE-2025-22225 to its Known Exploited Vulnerabilities (KEV) catalog in March 2025, mandating federal agencies to patch by March 25, 2025, under Binding Operational Directive (BOD) 22-01. VMware vulnerabilities remain a prime target for ransomware and state-sponsored groups due to the platform’s widespread enterprise adoption. In October 2024, CISA ordered agencies to patch CVE-2025-41244, a VMware Aria Operations and Tools flaw exploited by Chinese hackers since late 2024. Earlier this year, another critical vCenter Server vulnerability (CVE-2024-37079) was flagged as actively exploited, with a patch deadline of February 13, 2025. Separately, GreyNoise revealed that CISA discreetly classified 59 vulnerabilities as ransomware-exploited in 2024 alone, underscoring the growing threat landscape.

Cybersecurity Roundup: Major Breaches, State-Backed Threats, and Critical Vulnerabilities A wave of high-profile cyber incidents, state-sponsored attacks, and critical vulnerabilities has dominated recent cybersecurity news. Law Enforcement Actions & Espionage Spanish police arrested a young hacker for exploiting a payment gateway to book luxury hotel stays for just one cent. Meanwhile, a former U.S. defense contractor executive received an 87-month prison sentence for selling stolen trade secrets, including zero-day exploits, to a Russian broker. In a separate case, a Romanian national pleaded guilty to selling unauthorized access to Oregon state government networks and other U.S. victims. State-Backed Threats & APT Activity Google’s Threat Intelligence Group (GTIG) disrupted a China-linked APT, UNC2814, halting attacks on 53 organizations across 42 countries. The Lazarus Group, a North Korean APT, deployed Medusa ransomware against a Middle East target, while APT28 (Russia) launched Operation MacroMaze, exploiting webhooks for covert data exfiltration. Dutch intelligence warned of Russia escalating hybrid attacks, preparing for a prolonged standoff with Western nations. Critical Vulnerabilities & Exploits The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added multiple flaws to its Known Exploited Vulnerabilities (KEV) catalog, including: - A Soliton Systems K.K FileZen vulnerability. - Cisco SD-WAN flaws, abused since 2023 for full admin control. - BeyondTrust (CVE-2026-1731) and VMware Aria Operations vulnerabilities enabling remote attacks. Juniper issued an emergency patch for a critical PTX router RCE flaw, while Check Point researchers exposed flaws in Claude Code that could turn untrusted repositories into attack vectors. Ransomware & Data Breaches - Everest ransomware hit Vikor Scientific’s supplier, stealing data of 140,000 patients. - ShinyHunters breached CarGurus, exposing 12.4 million users. - ManoMano, a European DIY chain, suffered a breach impacting 38 million customers. - Canadian Tire disclosed a 2025 breach affecting 38 million users. - Olympique Marseille confirmed an attempted cyberattack following a data leak. Emerging Threats & AI Risks - 12 million exposed .env files revealed widespread security misconfigurations. - Aeternum, a new botnet, hides commands in Polygon smart contracts. - An AI-powered campaign compromised 600 FortiGate systems globally. - Arkanix Stealer, an AI-assisted info-stealer, briefly operated before shutting down. - CrowdStrike reported attackers moving through networks in under 30 minutes. Geopolitical & Industry Developments - Apple’s iPhone and iPad became the first consumer devices cleared for NATO ‘RESTRICTED’ classification. - The U.S. Treasury sanctioned an exploit broker network for theft and sale of government cyber tools. - Iran’s internet faced near-total blackouts amid U.S. and Israeli strikes. - Ukraine reported cyberattacks on its energy grid being used to guide missile strikes. Malware & Campaigns - UAT-10027, a stealthy campaign, targeted U.S. education and healthcare with the Dohdoor backdoor. - Starkiller, a phishing service, proxies real login pages, including MFA. - North Korean actors deployed Medusa ransomware in a Middle East attack. - A wormable XMRig campaign used BYOVD (Bring Your Own Vulnerable Driver) and a timed kill switch for stealth. The past week underscored the growing sophistication of cyber threats, from state-sponsored espionage to AI-driven attacks and large-scale data breaches.

The article highlights an actively exploited high-severity vulnerability (CVE-2025-41244) in Broadcom’s VMware Aria Operations and VMware Tools, allowing local attackers with non-administrative VM access to escalate privileges to root. Exploited since October 2024 by UNC5174, a Chinese state-sponsored threat actor linked to China’s Ministry of State Security (MSS), the flaw enables attackers to execute arbitrary code at the highest privilege level. The actor has historically targeted U.S. defense contractors, UK government entities, and Asian institutions, selling network access post-compromise. CISA mandated federal agencies patch within three weeks (by November 20, 2025) under BOD 22-01, warning of significant risks to federal enterprise if left unpatched. While no direct data breach or financial loss is reported, the vulnerability’s exploitation could lead to full system compromise, enabling lateral movement, data exfiltration, or deployment of further malware (e.g., ransomware). Given the actor’s ties to state-sponsored espionage, the risk extends to intellectual property theft, supply chain attacks, or disruption of critical operations in defense and government sectors.

The SEXi ransomware, which recently rebranded itself as APT INC, continues to plague VMware's ESXi servers, causing significant disruptions to services and potentially leaking sensitive customer data. The attacks underscore the critical vulnerabilities within the ESXi platform and the importance of robust security measures to prevent such incidents.

The CVE-2025-41244 vulnerability in VMware Aria Operations and VMware Tools (with SDMP enabled) was exploited by the Chinese state-sponsored group UNC5174 for espionage targeting Western and Asian institutions, including US defense contractors, UK government agencies, and Asian organizations. The flaw allowed local privilege escalation, enabling attackers with non-admin access to a VM to gain root privileges, facilitating deeper system compromise. The US Cybersecurity and Infrastructure Security Agency (CISA) added it to the Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by November 20, 2025, or discontinue use. Evidence suggests UNC5174 (linked to China’s Ministry of State Security) had been abusing this flaw since mid-2024, alongside other zero-days in Ivanti Cloud Services Appliance (CSA) to breach French government agencies, telcos, finance, and transportation sectors. The exploitation risks unauthorized access to sensitive defense, government, and corporate networks, potentially leading to data exfiltration, lateral movement, and long-term espionage. While no direct data breach or ransomware was confirmed in this case, the targeted nature of the attacks—focusing on high-value institutions—poses severe national security and economic risks if left unpatched.

Critical VMware vCenter Vulnerability Added to CISA’s Exploited Flaws Catalog The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-37079, a critical vulnerability in Broadcom’s VMware vCenter Server, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. The flaw, disclosed by Broadcom, is an out-of-bounds write issue in the DCERPC protocol implementation, allowing unauthenticated attackers with network access to execute remote code and potentially gain full control of affected systems. As the centralized management platform for VMware vSphere environments, a compromised vCenter Server could enable lateral movement across virtualized infrastructure, making this a high-risk threat for enterprises. The vulnerability (CWE-787) requires no user interaction, increasing its appeal to initial access brokers and ransomware groups, though CISA has not yet confirmed its use in ransomware campaigns. CISA’s addition of the flaw to the KEV catalog on January 23, 2026, mandates that Federal Civilian Executive Branch (FCEB) agencies remediate it by February 13, 2026. Broadcom has released patches, and organizations are advised to upgrade to the latest secure versions of vCenter Server. Additional mitigation measures include network segmentation to restrict vCenter access to trusted administrative networks, monitoring for anomalous DCERPC traffic, and auditing access logs for unauthorized attempts. With the remediation deadline approaching, enterprises must act swiftly to prevent exploitation by automated attack tools.

CISA Flags Actively Exploited VMware vCenter Server Vulnerability The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-37079, a critical remote code execution (RCE) vulnerability in Broadcom’s VMware vCenter Server, to its Known Exploited Vulnerabilities (KEV) catalog. The move follows confirmed reports of active exploitation in the wild, heightening risks for enterprises using vCenter for virtualization management. The flaw allows attackers with network access to the vCenter Server to execute arbitrary code, potentially gaining full control over the system. No additional user interaction or privileges are required, making it a high-severity threat. Organizations running affected versions of vCenter are urged to prioritize patching, as exploitation could lead to unauthorized access, data breaches, or lateral movement within networks. VMware released patches for the vulnerability earlier this month, but the inclusion in CISA’s KEV catalog underscores its urgency. Federal agencies under CISA’s binding operational directive (BOD 22-01) must remediate the flaw by a specified deadline, though private sector entities are also advised to act swiftly. The incident highlights the growing targeting of virtualization infrastructure, a critical component in enterprise IT environments. Details on attack vectors and threat actors remain limited, but the vulnerability’s inclusion in the KEV catalog signals its immediate operational risk.