Organizations often fail to investigate after patching zero-day vulnerabilities, leading to undetected compromises. A proactive approach involving compromise assessments is critical to uncover potential breaches. Affected: VMware ESXi, cybersecurity sector
Keypoints :
- Patching alone does not confirm if systems have been breached.
- Recent zero-day vulnerabilities in VMware ESXi (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) have been exploited.
- A compromise assessment is necessary to uncover hidden intrusions and signs of exploitation.
- THOR offers specialized methods, such as Thunderstorm and SSHFS, for effective forensic investigations of ESXi hosts.
- Organizations must leverage deep forensic analysis rather than just relying on patching.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: Communication and data exfiltration via application layer protocols.
- T1076 – Remote Access Software: Use of tools and methods for remote access to environments.
- T1059.003 – Command and Scripting Interpreter: Utilization of scripts to maintain persistence or cover tracks.
- T1543.003 – Create or Modify System Process: Implementation of rogue services or scheduled tasks for persistence.
- T1036.005 – Masquerading: Hiding malicious activities or tools from detection.
Full Story: https://www.nextron-systems.com/2025/03/11/patching-is-not-enough/