Hackers are exploiting VMware ESXi situations within the wild with a zero-day exploit toolkit that chains a number of vulnerabilities for VM escapes. Cybersecurity agency Huntress disrupted one such assault, attributing preliminary entry to a compromised SonicWall VPN.
Menace actors gained a foothold through SonicWall VPN, then used a compromised Area Admin account for lateral motion to backup and first area controllers.
On the first DC, they deployed reconnaissance instruments like Superior Port Scanner and ShareFinder, staged information with WinRAR, and altered Home windows firewall guidelines to dam exterior outbound site visitors whereas permitting inner lateral motion.
Roughly 20 minutes after toolkit deployment, they executed the ESXi exploit, which Huntress stopped earlier than ransomware deployment.
VMware ESXi Situations Exploit Toolkit
The toolkit, dubbed MAESTRO by Huntress, orchestrates disabling VMware VMCI drivers with devcon.exe, loading an unsigned driver through KDU to bypass Driver Signature Enforcement, and executing the core escape.
Toolkit (Supply: Huntress)
MyDriver.sys queries the ESXi model through VMware Visitor SDK, selects offsets from a desk supporting 155 builds throughout ESXi 5.1 to eight.0, leaks VMX base through HGFS (CVE-2025-22226), corrupts reminiscence through VMCI (CVE-2025-22224), and deploys shellcode for sandbox escape (CVE-2025-22225).
CVE IDCVSS ScoreDescriptionCVE-2025-222267.1Out-of-bounds learn in HGFS leaking VMX reminiscenceCVE-2025-222249.3Arbitrary write escaping the VMX sandbox to kernelCVE-2025-222258.2Arbitrary write escaping the VMX sandbox to the kernel
Shellcode phases deploy VSOCKpuppet, a backdoor hijacking ESXi’s inetd on port 21 for root execution, utilizing VSOCK for stealthy guest-host communication invisible to community instruments.
PDB paths reveal growth in simplified Chinese language environments, like “全版本逃逸–交付” (All model escape-delivery), dated February 2024, over a 12 months earlier than Broadcom’s VMSA-2025-0004 disclosure on March 4, 2025.
A shopper.exe PDB from November 2023 suggests modular tooling, with tampered VMware drivers referencing “XLab”. Huntress has excessive confidence in Chinese language-speaking origins attributable to sources and zero-day entry.
VM isolation fails in opposition to hypervisor flaws; patch ESXi urgently, as end-of-life variations lack fixes. Monitor ESXi hosts with “lsof -a” for VSOCK processes, look ahead to BYOD loaders like KDU, and safe VPNs. Firewall tweaks and unsigned drivers sign compromise; VSOCK backdoors evade IDS.
This incident underscores persistent hypervisor threats, with attackers prioritizing stealth through driver restoration and config cleanup post-exploitation. Organizations should harden virtualization aggressively amid rising ransomware concentrating on ESXi.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
