In this week’s roundup, we track how Payload ransomware is targeting both Windows and ESXi with Babuk-inspired encryption and a double-extortion model that amplifies impact beyond downtime, spotlight new malware strains that compromise Linux-based network devices for DDoS and cryptocurrency mining, break down CrackArmor AppArmor weaknesses that can enable local privilege escalation and weaken host or container isolation, explain why ransomware keeps punishing organizations stuck on unpatched VMware estates where patch timing and operational windows turn known vulnerabilities into ongoing exposure, and close with an urgent warning on an unpatched critical telnetd flaw affecting all versions that can be exploited pre-auth for remote code execution, making port 23 exposure a priority for immediate mitigation. Read on!
Securing the Infrastructure Behind Life-Saving Care
Built to keep patient care online across five states where it is the only NICU and Trauma Center in a 9,000-square-mile region, this rural healthcare provider with an EMR tolerance of less than 10 minutes of downtime per month and an environment of more than 100 VMware hosts running 99 percent of workloads prioritized the hypervisor as its last major security gap, validated ZeroLock after a demo showed how a single host command could encrypt all VMs, rejected a firewall-only approach from its existing EDR vendor as complex, costly, and ineffective against stolen-credential playbooks, completed a roughly 45-day proof of concept, secured fast-track approval despite no prior budget line, and deployed in about 80 hours by moving from alert-only to full protection ahead of the holidays.
"Patch lag has long been an issue for walled-garden environments like ESXi. The difference between patch availability and application is significant, but can unfortunately lead to prolonged periods of unpatched and unprotected systems especially in more risk averse organizations. This can seem counterintuitive at first glance, but the holds true particularly for hypervisors. No one want's to have to schedule infrastructure downtime. Preemptive security helps to nullify the patch lag problem."
On Ransomware Exposes the Cost of Unpatched VMware Systems
"This week’s findings are a strong reminder that today’s threats move fast and span everything from Windows and ESXi to Linux and network infrastructure. From my perspective as the Technical Channel Enablement Manager at Vali Cyber, this is exactly where channel partners shine—helping organizations translate complex threat activity into practical, timely security action. By working together as a community, we can close gaps faster, share hard-earned expertise, and make it much harder for attackers to turn known issues into real-world impact."
On Weekly Threat Roundup
Payload Ransomware Uses Babuk-Inspired Encryption In Attacks On Windows and ESXi
Racing from launch to impact, the emerging “Payload” ransomware operation has been targeting both Windows and VMware ESXi by pairing Babuk-style cryptography with double extortion, claiming activity since at least February 17, 2026 and advertising victims on a Tor leak site with allegations of more than 2.6 TB exfiltrated across 12 organizations in seven countries, while researchers describe a Windows payload that wipes event logs, tampers with ETW tracing, deletes shadow copies, and kills backup or security services, and a compact Linux/ESXi variant that scans VMware configuration files to locate virtual disk images and encrypt them directly.
CrackArmor Flaws Expose Linux Systems to Privilege Escalation
CrackArmor is a set of nine AppArmor flaws, described as confused-deputy and related kernel issues, that can let an unprivileged local user manipulate AppArmor policy via pseudo-files, bypass user-namespace restrictions, escalate to root, and weaken container isolation across widely deployed Linux distributions where AppArmor is enabled by default, with researchers noting the weaknesses date back to Linux kernel v4.11 in 2017 and may affect more than 12.6 million systems, prompting urgent guidance to apply kernel updates because proof-of-concept exploits exist even if public exploit code and CVE assignments are limited so far.
Ransomware Exposes the Cost of Unpatched VMware Systems
Patch lag is the real risk multiplier for VMware estates that are hard to modernize, and this post argues that CISA-confirmed ransomware exploitation of the ESXi sandbox-escape flaw CVE-2025-22225 shows how attackers benefit when “a fix exists” but cannot be deployed quickly, especially as Broadcom-era support and licensing shifts can push vSphere 7.x out of general support and leave older environments effectively stuck, while familiar chains like ESXiArgs exploiting OpenSLP CVE-2021-21974 still enable access to VM files and cripple recovery, which is why the piece positions moving to a VMware alternative such as Sangfor HCI or Sangfor Virtualization.
Researchers Warn of Unpatched, Critical Telnetd Flaw Affecting All Versions
Critical Telnet risk is resurfacing because CVE-2026-32746 is a CVSS 9.8 buffer overflow in GNU InetUtils telnetd that can be exploited remotely and without authentication during the initial LINEMODE handshake before any login prompt, allowing remote code execution as root on any exposed system running versions up to 2.7, with Dream warning exploitation is trivial since a single connection to port 23 can trigger it and lead to full host compromise, persistence, data theft, and pivoting, so the practical guidance is to disable Telnet, block or restrict port 23, and add network-level logging and IDS monitoring until the vendor patch expected by April 1, 2026 is available and deployed.
.png?upscale=true&width=1120&upscale=true&name=Copy%20of%20WTR%20Newsletter%20Email%20Header%20(13).png)
