top of page
perceptive_background_267k.jpg

China-Linked Hackers Exploit VMware ESXi Zero-Days to Escape Virtual Machines

Published:

9 January 2026 at 17:43:00

Alert date:

9 January 2026 at 20:01:43

Source:

thehackernews.com

Click to open the original link from this advisory

Cloud & Virtualization, Zero-Day Vulnerabilities, Ransomware & Malware

Chinese-speaking threat actors exploited a compromised SonicWall VPN appliance to gain initial access and deploy VMware ESXi zero-day exploits for virtual machine escape. The attack was discovered by Huntress in December 2025 and may have been designed to deliver ransomware. The VMware ESXi exploit was potentially developed as early as February 2024, indicating a sophisticated long-term campaign. The attackers successfully compromised the virtualization infrastructure before being stopped in the final stage.

Technical details

Chinese-speaking threat actors leveraged compromised SonicWall VPN appliance as initial access vector to deploy VMware ESXi exploit. Attack chain includes exploit.exe (MAESTRO) orchestrator with embedded binaries: devcon.exe to disable VMCI drivers, MyDriver.sys unsigned kernel driver loaded via KDU tool. Exploits target ESXi version identification and trigger CVE-2025-22226/CVE-2025-22224, writing three payloads to VMX memory: Stage 1 shellcode for environment prep, Stage 2 shellcode for ESXi foothold, VSOCKpuppet 64-bit ELF backdoor for persistent access via VSOCK port 10000. Attack overwrites VMX function pointer and uses VMCI messages to trigger execution. GetShell Plugin (client.exe) enables command execution and file transfer between guest VMs and compromised hypervisor via VSOCK communication.

Mitigation steps:

Apply VMware security patches for CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. Monitor for VSOCK communications on port 10000. Implement network monitoring for traditional detection bypass attempts. Monitor for unsigned kernel driver loading activities. Check for suspicious VM escape attempts and hypervisor compromise indicators. Ensure SonicWall VPN appliances are properly secured and monitored for compromise.

Affected products:

VMware ESXi
SonicWall VPN appliances

Related links:

https://www.huntress.com/blog/esxi-vm-escape-exploit
https://thehackernews.com/2025/03/vmware-security-flaws-exploited-in.html
https://github.com/hfiref0x/KDU
https://thehackernews.com/2025/12/cisa-reports-prc-hackers-using.html

Related CVE's:

Related threat actors:

IOC's:

exploit.exe (MAESTRO), devcon.exe, MyDriver.sys, client.exe (GetShell Plugin), VSOCKpuppet, Binary.zip, VSOCK port 10000, Simplified Chinese strings in development paths, Folder named '全版本逃逸--交付' (All version escape - delivery)

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page