top of page
perceptive_background_267k.jpg

VMware ESXi zero-days likely exploited a year before disclosure

Published:

8 januari 2026 om 21:27:19

Alert date:

8 januari 2026 om 22:02:23

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Cloud & Virtualization, Zero-Day Vulnerabilities, Network Infrastructure

Chinese-speaking threat actors exploited VMware ESXi zero-day vulnerabilities using an exploit toolkit that was developed more than a year before the vulnerabilities were publicly disclosed. The attackers gained initial access through a compromised SonicWall VPN appliance and used this to deliver the ESXi exploit toolkit. This indicates the vulnerabilities were known and actively exploited by threat actors well before VMware and the security community became aware of them. The extended timeline between exploitation and disclosure highlights the sophistication of the threat actors and their ability to maintain operational security while conducting long-term campaigns.

Technical details

Chinese-speaking threat actors used a compromised SonicWall VPN appliance to deliver a VMware ESXi exploit toolkit. The attack involved a sophisticated virtual machine escape exploiting three VMware vulnerabilities. The exploit toolkit included MAESTRO (exploit.exe) for coordinating VM escape, MyDriver.sys unsigned kernel driver for executing VM escape, VSOCKpuppet ELF backdoor for ESXi host access, and GetShell Plugin for Windows VSOCK client connection. PDB paths in exploit binaries contained folders named '2024_02_19' and '2023_11_02', suggesting development dates well before public disclosure. The attack chain involved disabling VMware VMCI devices, loading unsigned exploit driver via KDU, VMX memory leakage and corruption, sandbox escape, and deployment of hypervisor backdoor.

Mitigation steps:

Apply the latest ESXi security updates
Use provided YARA and Sigma rules for early detection
Monitor for VM escape attempts and VMCI device manipulation
Review SonicWall VPN appliance security and access logs

Affected products:

VMware ESXi 8.0 Update 3
SonicWall VPN appliances

Related links:

https://www.bleepingcomputer.com/news/security/broadcom-fixes-three-vmware-zero-days-exploited-in-attacks/

Related CVE's:

Related threat actors:

IOC's:

exploit.exe (MAESTRO), MyDriver.sys, client.exe (GetShell Plugin), VSOCKpuppet ELF backdoor, PDB path: C:\Users\test\Desktop\2024_02_19\全版本逃逸--交付\report\ESXI_8.0u3\, PDB path: C:\Users\test\Desktop\2023_11_02\vmci_vm_escape\getshell\source\client\x64\Release\client.pdb

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page