Escaping Virtual Boundaries: China-Linked Hackers Exploit VMware ESXi Zero-Days

Chinese-Speaking Threat Actors Suspected in Targeting VMware ESXi with Compromised SonicWall VPN Appliance

Recent cybersecurity findings suggest that threat actors fluent in Chinese may have utilized a compromised SonicWall VPN appliance as an initial access point to launch a sophisticated attack on VMware ESXi systems. The attack, which was intercepted by cybersecurity firm Huntress in December 2025, potentially averted a ransomware incident.

The attackers are believed to have exploited three zero-day vulnerabilities in VMware, namely CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, which were initially disclosed by Broadcom in March 2025. These vulnerabilities, if successfully exploited, could allow malicious actors to extract memory from the Virtual Machine Executable (VMX) process or execute code with admin privileges.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighted the severity of the VMware vulnerabilities by adding them to the Known Exploited Vulnerabilities (KEV) catalog in the same month. The toolkit used in the attack contained development paths with simplified Chinese strings, indicating a potential connection to a well-resourced Chinese-speaking developer.

Toolkit Components and Exploitation Techniques

The toolkit deployed in the attack included an orchestrator named “exploit.exe” or MAESTRO, which employed various binaries to facilitate a virtual machine (VM) escape. This included the use of devcon.exe to disable VMware’s VMCI drivers and an unsigned kernel driver called MyDriver.sys to execute the exploit in the kernel memory.

The exploit targeted specific vulnerabilities in ESXi versions, leading to the injection of three payloads into the VMX memory, namely stage 1 and stage 2 shellcode, as well as VSOCKpuppet, a backdoor for persistent access to the ESXi host.

By manipulating function pointers inside the VMX process, the attackers were able to execute arbitrary code and escape the VM sandbox, as described in CVE-2025-22225. The communication between the compromised VMs and the hypervisor was facilitated through VSOCK, enabling remote access and command execution.

Client-Server Communication and Stealthy Operations

The attackers utilized a client application named “client.exe” or GetShell Plugin to interact with the compromised ESXi host, enabling file transfers, command execution, and remote access functionalities. This client application, dropped into Windows VMs as a ZIP archive, leveraged VSOCK for communication, bypassing traditional network monitoring mechanisms.

The sophisticated nature of the attack chain, combined with the exploitation of zero-day vulnerabilities months before public disclosure, suggests a high level of expertise and resources on the part of the threat actors. The attack aimed at gaining full control of the hypervisor within a guest VM, highlighting the critical importance of securing virtualized environments.

Conclusion

This targeted attack on VMware ESXi systems underscores the evolving threat landscape faced by organizations, with threat actors employing advanced techniques to bypass security measures. The use of VSOCK for backdoor communication poses a significant challenge for detection and emphasizes the need for proactive security measures.

As cybersecurity threats continue to evolve, organizations must remain vigilant and adopt comprehensive security strategies to protect their virtualized environments from sophisticated attacks.