Hackers Actively Exploit VMware ESXi Instances Using Zero-Day Exploit Toolkit
By AnuPriya
January 8, 2026
Categories:
Cyber Security NewsCybersecurityVulnerabilities
Security researchers at Huntress have uncovered a sophisticated attack campaign targeting VMware ESXi instances through a zero-day exploit toolkit dubbed MAESTRO.
The toolkit chains multiple critical vulnerabilities to achieve virtual machine escape, allowing threat actors to break out of guest environments and gain control of host systems.
The discovery highlights escalating threats to virtualized infrastructure, particularly as attackers increasingly target hypervisor security for ransomware operations.
In a real-world attack disrupted by Huntress, threat actors gained initial access via a compromised SonicWall VPN appliance and laterally pivoted using stolen Domain Admin credentials.
Upon reaching the primary domain controller, attackers deployed reconnaissance tools, including Advanced Port Scanner and ShareFinder, to map the environment.
They staged data using WinRAR and deliberately modified Windows firewall rules, blocking external outbound connections while permitting internal lateral movement, a tactic designed to maintain stealth while preserving command-and-control capabilities.
The MAESTRO toolkit executed approximately 20 minutes after deployment on the domain controller. It systematically disabled VMware VMCI drivers using devcon.exe, then loaded an unsigned kernel driver via KDU to circumvent Driver Signature Enforcement, a Windows security mechanism.
Toolkit (Source: Huntress)
The toolkit’s core component, MyDriver.sys, uses the Guest SDK to detect ESXi versions and selects matching memory offsets from a table that supports 155 builds spanning ESXi 5.1 through 8.0.
The exploitation chain utilizes three distinct zero-day vulnerabilities to achieve sandbox escape. The toolkit first leaks virtual machine memory through CVE-2025-22226, then corrupts kernel memory to escalate privileges via CVE-2025-22224 and CVE-2025-22225.
Once an escape is achieved, attackers deploy VSOCKpuppet, a sophisticated backdoor that hijacks ESXi’s inetd service on port 21, enabling root-level command execution.
Critically, the backdoor leverages VSOCK for covert guest-to-host communication, rendering it invisible to standard network monitoring tools.
CVE Summary Table
CVE ID CVSS Score Vulnerability Type Impact
CVE-2025-22226 7.1 Out-of-bounds Read Memory disclosure from HGFS leaking VMX base address
CVE-2025-22224 9.3 Arbitrary Write Kernel privilege escalation from guest context
CVE-2025-22225 8.2 Arbitrary Write Sandbox escape enabling host system compromise
Forensic analysis of PDB debug symbols reveals that development occurred in simplified Chinese environments, with artifacts dated February 2024, more than a year before Broadcom’s official vulnerability disclosure in March 2025.
Additional client tool artifacts reference “XLab” and carry November 2023 timestamps, suggesting modular, well-resourced adversary infrastructure.
The attack demonstrates how hypervisor vulnerabilities fundamentally undermine VM isolation guarantees.
Huntress researchers recommend organizations immediately patch ESXi systems, as end-of-life versions receive no security updates.
Detection requires monitoring for VSOCK processes using network utilities, scrutinizing suspicious kernel drivers, and securing VPN appliances against initial compromise.
The incident underscores why virtualization security now demands enterprise-grade attention alongside traditional network defenses.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyber Press as a Preferred Source in Google.
AnuPriya
Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends.
Recent Articles
New Alert: Hackers Hijack Corporate M365 Accounts with OAuth Device Codes
ANY.RUN March 17, 2026
Windows 11 25H2/24H2 Update Fixes Bluetooth Visibility Problems
Cyber Security News March 17, 2026
Microsoft Introduces AI-Powered Troubleshooting for Purview Data Lifecycle Management
Cyber Security News March 17, 2026
Attackers Exploit Safe Links To Hide Phishing URLs Behind Rewriting Chains
Cyber Security News March 17, 2026
Payload Ransomware Uses Babuk-Inspired Encryption In Attacks On Windows and ESXi
Cyber Security News March 17, 2026
Related Stories
ANY.RUN
New Alert: Hackers Hijack Corporate M365 Accounts with OAuth Device Codes
Balaji - March 17, 2026
Cyber Security News
Windows 11 25H2/24H2 Update Fixes Bluetooth Visibility Problems
AnuPriya - March 17, 2026
Cyber Security News
Microsoft Introduces AI-Powered Troubleshooting for Purview Data Lifecycle Management
AnuPriya - March 17, 2026
Cyber Security News
Attackers Exploit Safe Links To Hide Phishing URLs Behind Rewriting Chains
Varshini - March 17, 2026
Cyber Security News
Payload Ransomware Uses Babuk-Inspired Encryption In Attacks On Windows and ESXi
Varshini - March 17, 2026
Cyber Security News
PylangGhost RAT Spread Through Malicious npm Packages In New Campaign
Varshini - March 17, 2026
LEAVE A REPLY
Comment:
Name:*
Email:*
Website: