Virtual Environments Under Fire: Fire Ant Campaign Breaches VMware Systems

  • Post author:
  • Reading time:4 mins read

A threat actor, codenamed Fire Ant, has targeted virtualization and networking infrastructure as part of a prolonged cyber-espionage campaign uncovered in 2025. The attackers focused on exploiting vulnerabilities and abusing trusted management tools to gain persistent, hypervisor-level access across entire environments. By compromising virtualization platforms and network appliances, Fire Ant could pivot into guest systems, extract sensitive data, and systematically bypass traditional security controls.

Executive Summary

  • Since early 2025, a prolonged cyber-espionage campaign codenamed Fire Ant has actively targeted virtualization and networking infrastructure.
  • The primary focus was on environments running VMware ESXi, vCenter, and critical network appliances, exploiting their central role in managing and connecting segmented networks.
  • The attackers combined stealthy, multi-layered techniques to penetrate restricted network segments previously assumed to be isolated and secure.
  • They demonstrated exceptional persistence and adaptability, responding quickly to defensive measures, redeploying toolsets, and maintaining access despite eradication efforts.
  • The campaign’s tooling and attack patterns align with tactics observed in prior sophisticated threat activity, including exploiting known vCenter and ESXi vulnerabilities.
  • Overall, Fire Ant highlights the urgent need for enhanced visibility and monitoring at the hypervisor and infrastructure layer, where traditional endpoint security solutions often lack coverage.

Vulnerability Details

CVE-2023-34048
1. Vulnerability: out-of-bounds write vulnerability
2. CVSS Score: 9.8 (Critical)
3. EPSS Score: 92.02%
4. Affected Products: VMware vCenter Server version 4.x, 5.x prior to KB88287, 7.0 prior to 7.0U3o and 8.0 prior to 8.0U1d and VMware Cloud Foundation version 4.x, 5.x prior to KB88287

CVE-2023-20867
1. Vulnerability: Authentication Bypass Vulnerability
2. CVSS Score: 3.9 (Low)
3. EPSS Score: 0.51%
4. Affected Products: VMware Tools 10.3.x, 11.x.x, 12.x.x

Infection Method

Initial Access

Attackers target internet-facing VMware vCenter servers and hypervisor management interfaces as the entry point into virtualization environments.

Exploitation

CVE-2023-34048 (vCenter DCERPC out-of-bounds write vulnerability):

  • Attackers exploit an out-of-bounds write vulnerability in vCenter Server’s DCERPC protocol implementation.
  • Specially crafted network requests allow unauthenticated remote code execution on vCenter, enabling the attackers to gain control over the virtualization management layer.

CVE-2023-20867 (VMware Tools authentication bypass):

  • Attackers exploit an authentication bypass vulnerability that allows commands to be executed inside guest virtual machines from the hypervisor without valid in-guest credentials.
  • By abusing PowerCLI host-to-guest features and modifying VMX process memory, attackers inject malicious commands directly into guest VMs.

Threat Capabilities

CVE-2023-34048 (vCenter DCERPC out-of-bounds write vulnerability)

  • Unauthenticated remote code execution can be achieved on vCenter servers directly over the network.
  • Deploy persistent backdoors on vCenter to maintain covert access even after reboots.
  • Extract privileged service account credentials (e.g., vpxuser) to pivot from vCenter into connected ESXi hosts.
  • Gain complete control over the virtualization management layer, allowing centralized orchestration of ESXi hosts and guest virtual machines.
  • Use vCenter access to bypass lockdown modes and other direct host protections.

CVE-2023-20867 (VMware Tools authentication bypass)

  1. Execute arbitrary commands inside guest virtual machines without valid in-guest credentials, directly from the hypervisor.
  2. Deploy malware, credential-dumping tools, and tunneling frameworks (e.g., V2Ray) inside guest VMs without triggering user authentication.
  3. Tamper with or disable endpoint detection agents running inside guest operating systems.
  4. Dump sensitive data, including NTLM hashes and domain credentials, by accessing memory snapshots.
  5. Pivot from compromised guest VMs into broader internal networks, enabling lateral movement beyond the virtualization layer.

Impact 

  1. Remote Code Execution: Enabled remote code execution, allowing attackers to run arbitrary commands on vCenter servers and directly inside guest virtual machines.
  2. Authentication Bypass: Allowed authentication bypass, letting attackers execute host-to-guest operations without valid in-guest credentials.
  3. Credential Harvesting: Facilitated credential harvesting by extracting privileged service account credentials and dumping passwords and hashes from guest memory, supporting lateral movement across the virtual and physical network environments.

Patch

  1. Upgrade vCenter Server to 7.0U3o or 8.0U2 or above
  2. Apply patch KB88287 on VMware Cloud Foundation version 4.x, 5.x
  3. Upgrade VMware Tools to 12.2.5 or later

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.