Security Check-in Quick Hits: VMware ESXi Exploits, LockBit Mexican Gov Leak, ShinyHunters University Breaches, SolarWinds RCE, and GitLab SSRF Attacks

For February 6, 2026

CISA Sounds Alarm on VMware ESXi Zero-Day Exploited by Ransomware Gangs

In a stark reminder of the persistent threats facing enterprise infrastructure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical VMware ESXi vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Tracked as CVE-2025-22225, this flaw is an arbitrary kernel write issue in ESXi’s VMX process, allowing attackers with VM privileges to escape sandbox isolation and seize control of the hypervisor.

Rated as “Important” with a CVSS score of 8.2, the vulnerability affects ESXi versions 7.0 and 8.0. It’s part of a chain of three zero-days exploited since early 2025, including CVE-2025-22224 (a heap overflow in the VMCI driver, CVSS 9.3) and CVE-2025-22226 (an HGFS memory leak, CVSS 7.1). Ransomware operators exploit it by compromising VMs, disabling drivers, loading unsigned kernels, and bypassing ASLR for persistent access via tools like VSOCKpuppet.

Broadcom patched this in March 2025 via advisory VMSA-2025-0004, but scans show over 41,500 exposed instances remain vulnerable. Chinese-linked actors have used it since February 2024, often via SonicWall VPN compromises, for data theft and ransomware prep. A toolkit targets 155 ESXi builds, with development traces dating back over a year.

CISA mandates federal patches by March 25, 2026, under BOD 22-01. Recommendations include immediate patching, EDR monitoring for VMX anomalies, privilege restrictions, and IOC scans like unsigned drivers or unusual VSOCK traffic. This exploit underscores the need for robust virtualization security—don’t let your hypervisors become the next ransomware playground.

LockBit Dumps 277 GB of Mexican Government Data in Massive Leak

Ransomware powerhouse LockBit has struck again, leaking 277 GB of sensitive data from Mexico’s Sociedad Hipotecaria Federal (SHF), a government housing finance agency. The dump, released on the dark web, includes complete databases, banking details, personal information, and credit records, potentially compromising millions of mortgage holders.

This breach is one of the most severe hits to the Mexican government, causing widespread system outages at SHF. Despite the fallout, there’s been no official statement from authorities, raising concerns about transparency and response readiness. LockBit’s action follows their typical playbook: infiltrate, encrypt, exfiltrate, and leak if ransoms aren’t paid.

While a related incident involving hacktivist group Chronus claimed a larger 2.3 TB breach affecting 36 million Mexicans across 25 institutions, LockBit’s focus on SHF highlights targeted financial sector attacks. The leaked data, if authentic, could fuel identity theft, fraud, and further extortion.

Organizations should bolster defenses with multi-factor authentication, regular backups, and incident response plans. For Mexico, this serves as a wake-up call to enhance cybersecurity in critical sectors—silence isn’t a strategy when data is on the line.

ShinyHunters Exposes Harvard and UPenn in Donor Data Dump

Notorious hack-and-leak group ShinyHunters has doxed Harvard University and the University of Pennsylvania, leaking over 2 million records after failed ransom demands. The breach, stemming from late 2025 attacks, includes admissions, fundraising, and donor details, painting a “social graph” of wealth and relationships.

Harvard’s data reveals high-profile donors like Mark Zuckerberg ($604 million), Michael Bloomberg ($422 million), and Steve Ballmer ($102 million), complete with addresses and emails. UPenn’s leak involves 1.2 million records, including internal documents like antisemitism action plans and donor files, following an October 2025 Graduate School of Education breach that initially affected fewer people.

ShinyHunters posted the data on their dark web forum, citing non-cooperation. This exposes vulnerabilities in academic systems, potentially leading to targeted scams or reputational damage.

Universities must prioritize patching, encryption, and breach notification. For affected individuals, monitoring for fraud is key—this breach shows even elite institutions aren’t immune to cyber shakedowns.

SolarWinds Web Help Desk RCE Flaw Under Active Exploitation, CISA Warns

CISA has flagged a critical remote code execution (RCE) vulnerability in SolarWinds Web Help Desk (WHD) as actively exploited, adding CVE-2025-40551 to its KEV catalog. This untrusted data deserialization bug (CVSS 9.8) allows unauthenticated attackers to run arbitrary commands on hosts.

Affecting versions up to 12.8.8 Hotfix 1, it’s one of four critical flaws patched in January 2026, including another RCE (CVE-2025-40553) and auth bypasses. Exploitation is low-complexity, no privileges needed, enabling OS command execution.

Federal agencies must patch by February 6, 2026, per BOD 22-01. This follows prior WHD exploits, like hardcoded credentials in 2024 and a 2025 RCE patch bypass.

Admins should apply updates immediately, isolate exposed instances, and monitor for anomalies. SolarWinds’ history of breaches makes this a priority—proactive patching is your best defense against opportunistic attacks.

Old GitLab SSRF Vulnerability Revived in Active Attacks, Per CISA Alert

A five-year-old server-side request forgery (SSRF) flaw in GitLab is back in the spotlight, with CISA confirming active exploitation and adding CVE-2021-39935 to its KEV list.

Patched in December 2021, it affects versions from 10.5 to 14.5.1, allowing unauthenticated users to abuse the CI Lint API for internal requests, potentially exposing services or enabling pivots.

Federal entities must remediate by February 24, 2026. Despite its age, recent attacks highlight lingering unpatched instances.

GitLab users: Upgrade to patched versions, restrict API access, and scan for exposure. This resurgence proves old vulns don’t die—they wait for complacency. Stay vigilant.