Dark Corners: How a Failed Patch Left VMware ESXi VM Escapes Open for Two Years
Black Hat USA 2025 · Day 1 · Briefings
Researchers from ANK Group Security Lab discovered that CVE-2021-22050, a VMware ESXi XHCI USB controller vulnerability first disclosed in 2021, was never correctly patched. By exploiting the same root vulnerability through a slightly different code path, they achieved a full VM escape at the Tianfu Cup 2023. The issue was re-assigned CVE-2024-22252 — over two years after the original CVE. In a separate finding, they discovered CVE-2024-22254, an out-of-bounds write vulnerability in ESXi's Changed Block Tracking (CBT) kernel driver, enabling a complete sandbox escape after the initial VM escape. ---
AI review
A critical VMware ESXi vulnerability that 'didn't exist' for two years because the 2021 patch addressed only the specific PoC code path and left the root cause intact. Full VM escape plus complete ESXi sandbox escape, demonstrated at Tianfu Cup 2023, with an unusually candid industry critique about why VMware's bug bounty economics extend vulnerability lifespans.