“`html
.webp?w=1600&resize=1600,900&ssl=1){kind=link}
Cybercriminals are abusing VMware ESXi instances in the wild utilizing a zero-day exploit toolkit that combines several vulnerabilities for VM breaches. The cybersecurity firm Huntress interrupted one such incident, linking the initial breach to an infiltrated SonicWall VPN.
Threat actors established access through SonicWall VPN, subsequently leveraging a compromised Domain Admin account to move laterally to backup and primary domain controllers.
On the primary Domain Controller, they employed reconnaissance utilities like Advanced Port Scanner and ShareFinder, organized data with WinRAR, and modified Windows firewall configurations to hinder external outbound traffic while permitting internal lateral movements.
About 20 minutes following the deployment of the toolkit, they initiated the ESXi exploit, which Huntress halted prior to any ransomware deployment.
VMware ESXi Instances Exploit Toolkit
The toolkit, referred to as MAESTRO by Huntress, orchestrates the disabling of VMware VMCI drivers with devcon.exe, loads an unsigned driver via KDU to evade Driver Signature Enforcement, and executes the principal escape.
MyDriver.sys queries the ESXi version via VMware Guest SDK, chooses offsets from a table covering 155 builds from ESXi 5.1 to 8.0, exposes VMX base via HGFS (CVE-2025-22226), corrupts memory using VMCI (CVE-2025-22224), and deploys shellcode for sandbox evasion (CVE-2025-22225).
| CVE ID | CVSS Score | Description |
|---|---|---|
| CVE-2025-22226 | 7.1 | Out-of-bounds read in HGFS leaking VMX memory |
| CVE-2025-22224 | 9.3 | Arbitrary write escaping the VMX sandbox to kernel |
| CVE-2025-22225 | 8.2 | Arbitrary write escaping the VMX sandbox to the kernel |
Shellcode stages deploy VSOCKpuppet, a backdoor taking control of ESXi’s inetd on port 21 for root execution, utilizing VSOCK for discreet guest-host communication untraceable by network tools.
PDB paths indicate development in simplified Chinese environments, such as “全版本逃逸–交付” (All version escape-delivery), dated February 2024, more than a year prior to Broadcom’s VMSA-2025-0004 disclosure on March 4, 2025.
A client.exe PDB from November 2023 implies modular tooling, with modified VMware drivers referencing “XLab”. Huntress possesses strong confidence in Chinese-speaking origins owing to the resources and zero-day access.
VM isolation fails in light of hypervisor vulnerabilities; promptly patch ESXi, as end-of-life versions lack updates. Observe ESXi hosts with “lsof -a” for VSOCK processes, stay vigilant for BYOD loaders such as KDU, and safeguard VPNs. Firewall adjustments and unsigned drivers indicate compromise; VSOCK backdoors evade IDS.
This event highlights ongoing hypervisor risks, with attackers prioritizing stealth via driver restoration and configuration cleanup after exploitation. Organizations must enhance virtualization security aggressively amidst increasing ransomware targeting ESXi.
“`