Sophisticated China-Linked Threat Actors Breach VMware ESXi with Zero-Day Exploits
A highly sophisticated and alarming cyberattack, suspected to originate from Chinese-speaking threat actors, has been uncovered, revealing the exploitation of multiple VMware ESXi zero-day vulnerabilities. This multi-stage intrusion allowed attackers to achieve the ultimate nightmare for virtualized environments: a complete escape from guest virtual machines to gain full control over the underlying ESXi hypervisor. Cybersecurity firm Huntress, which observed and neutralized the activity in December 2025, warns that the attack could have culminated in a devastating ransomware incident.
The Revelation of Critical Zero-Days
At the heart of this breach lies the exploitation of three critical VMware vulnerabilities, which Broadcom publicly disclosed as zero-days in March 2025. These include:
- CVE-2025-22224 (CVSS: 9.3): A severe vulnerability allowing memory leakage or code execution as the Virtual Machine Executable (VMX) process.
- CVE-2025-22225 (CVSS: 8.2): An arbitrary write vulnerability crucial for escaping the VMX sandbox.
- CVE-2025-22226 (CVSS: 7.1): Another vulnerability exploited in the initial stages of the attack.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) swiftly added these flaws to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the evidence of active exploitation. Intriguingly, researchers Anna Pham and Matt Anderson from Huntress noted that the toolkit used in this attack contained simplified Chinese strings in its development paths, including a folder named ‘全版本逃逸–交付’ (‘All version escape – delivery’). This, coupled with evidence suggesting the exploit was developed over a year before VMware’s public disclosure, strongly points to a well-resourced developer likely operating within a Chinese-speaking region.
Anatomy of the ‘MAESTRO’ Toolkit
The attackers gained initial access through a compromised SonicWall VPN appliance, paving the way for the deployment of a meticulously crafted exploit toolkit, dubbed ‘MAESTRO.’ This toolkit is a complex orchestration of several components designed for precision and stealth:
Orchestrating the Escape: exploit.exe
The central component, exploit.exe (aka MAESTRO), acts as the orchestrator for the entire VM escape process. It leverages embedded binaries to systematically dismantle VMware’s defenses:
devcon.exe: Used to disable VMware’s guest-side Virtual Machine Communication Interface (VMCI) drivers, a critical step in bypassing security mechanisms.MyDriver.sys: An unsigned kernel driver containing the core exploit logic. This driver is loaded into kernel memory using the open-source Kernel Driver Utility (KDU).
Once loaded, the exploit status is carefully monitored, and the VMCI drivers are re-enabled, leaving minimal traces.
The VM Escape Execution Flow: A Multi-Stage Assault
The driver’s primary function is to accurately identify the ESXi version running on the host, subsequently triggering exploits for CVE-2025-22226 and CVE-2025-22224. This critical phase allows the attacker to inject three distinct payloads directly into the VMX process’s memory:
- Stage 1 Shellcode: Prepares the environment for the VMX sandbox escape, laying the groundwork for further compromise.
- Stage 2 Shellcode: Establishes a firm foothold on the ESXi host, granting the attackers initial control.
- VSOCKpuppet: A sophisticated 64-bit ELF backdoor designed to provide persistent remote access to the ESXi host, communicating discreetly over VSOCK (Virtual Sockets) port 10000.
Huntress researchers detailed the final, decisive step: “After writing the payloads, the exploit overwrites a function pointer inside VMX. It first saves the original pointer value, then overwrites it with the address of the shellcode. The exploit then sends a VMCI message to the host to trigger VMX.” This manipulation, corresponding to CVE-2025-22225, ensures that when VMX processes the message, it executes the attacker’s shellcode instead of legitimate code, effectively escaping the sandbox.
VSOCKpuppet: The Persistent Hypervisor Backdoor
The choice of VSOCK for backdoor communication is particularly insidious. As VSOCK provides a direct, high-speed communication pathway between guest VMs and the hypervisor, the threat actors deployed a “client.exe” (aka GetShell Plugin). This client can be executed from any guest Windows VM on the compromised host, enabling seamless command and control over the compromised ESXi hypervisor and interaction with the VSOCKpuppet backdoor.
The PDB path embedded in the binary suggests its development as early as November 2023. The GetShell Plugin boasts robust capabilities, including downloading files from ESXi to the VM, uploading files from the VM to ESXi, and executing arbitrary shell commands on the hypervisor. Interestingly, the plugin is delivered to the Windows VM as a ZIP archive (“Binary.zip”), complete with a README file containing usage instructions, offering a rare glimpse into the attackers’ operational sophistication.
Implications and Attribution
While definitive attribution remains elusive, the confluence of simplified Chinese language strings, the extraordinary sophistication of the attack chain, and the exploitation of zero-day vulnerabilities months before public disclosure strongly implicates a well-resourced, state-sponsored or highly advanced criminal group operating from a Chinese-speaking region. This intrusion represents a chilling demonstration of a multi-stage attack designed to completely bypass virtual machine isolation. As Huntress aptly summarized, “By chaining an information leak, memory corruption, and sandbox escape, the threat actor achieved what every VM administrator fears: full control of the hypervisor from within a guest VM.” This incident serves as a stark reminder of the critical importance of timely patching, robust network segmentation, and advanced threat detection capabilities in defending against such formidable adversaries.
For more details, visit our website.
Source: Link
