VMware ESXi zero-days doubtless exploited a 12 months earlier than disclosure

Chinese language-speaking menace actors used a compromised SonicWall VPN equipment to ship a VMware ESXi exploit toolkit that appears to have been developed greater than a 12 months earlier than the focused vulnerabilities turned publicly recognized.

In assaults from December 2025 analyzed by Huntress, managed security firm, the hackers used a classy digital machine (VM) escape that doubtless exploited three VMware vulnerabilities disclosed as zero-days in March 2025.

Of the three bugs, just one obtained a important severity rating:

• CVE-2025-22226 (7.1 severity rating): An out-of-bounds learn in HGFS that enables leaking reminiscence from the VMX course of
• CVE-2025-22224 (9.3 severity rating): A TOCTOU vulnerability in Digital Machine Communication Interface (VMCI) resulting in an out-of-bounds write, permitting code execution because the VMX course of
• CVE-2025-22225 (8.2 severity rating): An arbitrary write vulnerability in ESXi that enables escaping the VMX sandbox to the kernel

On the time of the disclosure, Broadcom warned that the security points could possibly be chained by attackers with administrator privileges to flee the VM and acquire entry to the underlying hypervisor.

Nonetheless, a brand new report from Huntress supplies clues indicating that vulnerabilities might have been chained into an exploit since at the very least February 2024.

The researchers present in the PDB paths of exploit binaries a folder named “2024_02_19,” suggesting that the bundle was developed as a possible zero-day exploit.

C:UserstestDesktop2024_02_19全版本逃逸--交付reportESXI_8.0u3

Moreover, from the title of the folder, which interprets to “All/Full model escape – supply,” it could possibly be inferred that the meant goal was ESXi 8.0 Replace 3. 

Huntress assesses that preliminary entry doubtless got here by means of a compromised SonicWall VPN. The attacker used a compromised Area Admin account to pivot by way of RDP to area controllers, stage information for exfiltration, and run an exploit chain that breaks out of a visitor VM into the ESXi hypervisor.

The exploit toolkit concerned the next elements:

• MAESTRO (exploit.exe) – Coordinates the VM escape by disabling VMware VMCI gadgets, loading the unsigned exploit driver by way of KDU, monitoring exploit success, and restoring drivers afterward.
• MyDriver.sys – Unsigned kernel driver that executes the VM escape, together with ESXi model detection, VMX reminiscence leakage and corruption, sandbox escape, and deployment of a hypervisor backdoor.
• VSOCKpuppet – ELF backdoor working on the ESXi host that gives command execution and file switch over VSOCK, bypassing conventional community monitoring.
• GetShell Plugin (consumer.exe) – Home windows VSOCK consumer used to attach from a visitor VM to the compromised ESXi host and work together with the VSOCKpuppet backdoor.

The researchers discovered extra clues pointing to the construct date of the toolkit. A PDB path embedded within the ‘consumer.exe’ binary has a folder named “2023_11_02.”

C:UserstestDesktop2023_11_02vmci_vm_escapegetshellsourceclientx64Releaseclient.pdb

It’s potential that the element was “a part of a broader vmci_vm_escape toolkit with a getshell element.”

The researchers imagine that the menace actor might have a modular method, the place they separate the post-exploitation instruments from the exploits. This is able to enable them to make use of the identical infrastructure and simply change to new vulnerabilities. 

Huntress advised BleepingComputer that they’re reasonably assured that the exploit toolkit leverages the three vulnerabilities that Broadcom disclosed final March. Their evaluation relies on the exploit’s conduct, together with using HGFS for data leak, VMCI for reminiscence corruption, and shellcode escaping to the kernel.

Nonetheless, they may not verify with 100% certainty that it is the identical exploitation Broadcom disclosed in its authentic bulletin on the three zero-days.

Relating to the exploitation timeline and attribution-related observations, Huntress experiences that some construct paths embrace simplified Chinese language, however there’s additionally an English-language README, probably indicating an intention to promote it to or share it with different menace actors.

Huntress feedback that this mix doubtless means that the toolkit was developed by a well-resourced developer working in a Chinese language-speaking area.

Though the researchers are extremely assured that SonicWall VPN was the preliminary entry vector, they advocate that organizations apply the most recent ESXi security updates and use the supplied YARA and Sigma guidelines for early detection.