CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs

Hackers Actively Exploit VMware ESXi Instances Using Zero-Day Exploit Toolkit - cyberpress.org

cyberpress.org Archived Mar 18, 2026 ✓ Full text saved

Hackers Actively Exploit VMware ESXi Instances Using Zero-Day Exploit Toolkit cyberpress.org

Full text archived locally
✦ AI Summary · Claude Sonnet


    Hackers Actively Exploit VMware ESXi Instances Using Zero-Day Exploit Toolkit By AnuPriya January 8, 2026 Categories: Cyber Security NewsCybersecurityVulnerabilities Security researchers at Huntress have uncovered a sophisticated attack campaign targeting VMware ESXi instances through a zero-day exploit toolkit dubbed MAESTRO. The toolkit chains multiple critical vulnerabilities to achieve virtual machine escape, allowing threat actors to break out of guest environments and gain control of host systems. The discovery highlights escalating threats to virtualized infrastructure, particularly as attackers increasingly target hypervisor security for ransomware operations. In a real-world attack disrupted by Huntress, threat actors gained initial access via a compromised SonicWall VPN appliance and laterally pivoted using stolen Domain Admin credentials. Upon reaching the primary domain controller, attackers deployed reconnaissance tools, including Advanced Port Scanner and ShareFinder, to map the environment. They staged data using WinRAR and deliberately modified Windows firewall rules, blocking external outbound connections while permitting internal lateral movement, a tactic designed to maintain stealth while preserving command-and-control capabilities. The MAESTRO toolkit executed approximately 20 minutes after deployment on the domain controller. It systematically disabled VMware VMCI drivers using devcon.exe, then loaded an unsigned kernel driver via KDU to circumvent Driver Signature Enforcement, a Windows security mechanism. Toolkit (Source: Huntress) The toolkit’s core component, MyDriver.sys, uses the Guest SDK to detect ESXi versions and selects matching memory offsets from a table that supports 155 builds spanning ESXi 5.1 through 8.0. The exploitation chain utilizes three distinct zero-day vulnerabilities to achieve sandbox escape. The toolkit first leaks virtual machine memory through CVE-2025-22226, then corrupts kernel memory to escalate privileges via CVE-2025-22224 and CVE-2025-22225. Once an escape is achieved, attackers deploy VSOCKpuppet, a sophisticated backdoor that hijacks ESXi’s inetd service on port 21, enabling root-level command execution. Critically, the backdoor leverages VSOCK for covert guest-to-host communication, rendering it invisible to standard network monitoring tools. CVE Summary Table CVE ID CVSS Score Vulnerability Type Impact CVE-2025-22226 7.1 Out-of-bounds Read Memory disclosure from HGFS leaking VMX base address CVE-2025-22224 9.3 Arbitrary Write Kernel privilege escalation from guest context CVE-2025-22225 8.2 Arbitrary Write Sandbox escape enabling host system compromise Forensic analysis of PDB debug symbols reveals that development occurred in simplified Chinese environments, with artifacts dated February 2024, more than a year before Broadcom’s official vulnerability disclosure in March 2025. Additional client tool artifacts reference “XLab” and carry November 2023 timestamps, suggesting modular, well-resourced adversary infrastructure. The attack demonstrates how hypervisor vulnerabilities fundamentally undermine VM isolation guarantees. Huntress researchers recommend organizations immediately patch ESXi systems, as end-of-life versions receive no security updates. Detection requires monitoring for VSOCK processes using network utilities, scrutinizing suspicious kernel drivers, and securing VPN appliances against initial compromise. The incident underscores why virtualization security now demands enterprise-grade attention alongside traditional network defenses. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyber Press as a Preferred Source in Google. AnuPriya Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends. Recent Articles New Alert: Hackers Hijack Corporate M365 Accounts with OAuth Device Codes   ANY.RUN March 17, 2026 Windows 11 25H2/24H2 Update Fixes Bluetooth Visibility Problems Cyber Security News March 17, 2026 Microsoft Introduces AI-Powered Troubleshooting for Purview Data Lifecycle Management Cyber Security News March 17, 2026 Attackers Exploit Safe Links To Hide Phishing URLs Behind Rewriting Chains Cyber Security News March 17, 2026 Payload Ransomware Uses Babuk-Inspired Encryption In Attacks On Windows and ESXi Cyber Security News March 17, 2026 Related Stories ANY.RUN New Alert: Hackers Hijack Corporate M365 Accounts with OAuth Device Codes   Balaji - March 17, 2026 Cyber Security News Windows 11 25H2/24H2 Update Fixes Bluetooth Visibility Problems AnuPriya - March 17, 2026 Cyber Security News Microsoft Introduces AI-Powered Troubleshooting for Purview Data Lifecycle Management AnuPriya - March 17, 2026 Cyber Security News Attackers Exploit Safe Links To Hide Phishing URLs Behind Rewriting Chains Varshini - March 17, 2026 Cyber Security News Payload Ransomware Uses Babuk-Inspired Encryption In Attacks On Windows and ESXi Varshini - March 17, 2026 Cyber Security News PylangGhost RAT Spread Through Malicious npm Packages In New Campaign Varshini - March 17, 2026 LEAVE A REPLY Comment: Name:* Email:* Website:
    💬 Team Notes
    Article Info
    Source
    cyberpress.org
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Archived
    Mar 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗