China-Linked Hackers Exploit VMware ESXi Zero-Days to Escape Virtual Machines - The Hacker News

China-Linked Hackers Exploit VMware ESXi Zero-Days to Escape Virtual Machines Ravie LakshmananJan 09, 2026Virtualization / Vulnerability Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed as far back as February 2024. Cybersecurity firm Huntress, which observed the activity in December 2025 and stopped it before it could progress to the final stage, said it may have resulted in a ransomware attack. Most notably, the attack is believed to have exploited three VMware vulnerabilities that were disclosed as zero-days by Broadcom in March 2025: CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1). Successful exploitation of the issue could permit a malicious actor with admin privileges to leak memory from the Virtual Machine Executable (VMX) process or execute code as the VMX process. That same month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaws to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. "The toolkit analyzed [...] also includes simplified Chinese strings in its development paths, including a folder named '全版本逃逸--交付' (translated: 'All version escape - delivery'), and evidence suggesting it was potentially built as a zero-day exploit over a year before VMware's public disclosure, pointing to a well-resourced developer likely operating in a Chinese-speaking region," researchers Anna Pham and Matt Anderson said. The assessment that the toolkit weaponizes the three VMware shortcomings is based on the exploit's behavior, its use of Host-Guest File System (HGFS) for information leaking, Virtual Machine Communication Interface (VMCI) for memory corruption, and shellcode that escapes to the kernel, the company added. The toolkit involves multiple components, chief among them being "exploit.exe" (aka MAESTRO), which acts as the orchestrator for the entire virtual machine (VM) escape by making use of the following embedded binaries - devcon.exe, to disable VMware's guest-side VMCI drivers MyDriver.sys, an unsigned kernel driver containing the exploit that's loaded into kernel memory using an open-source tool called Kernel Driver Utility (KDU), following which the exploit status is monitored and the VMCI drivers are re-enabled  VM Escape exploitation flow The driver's main responsibility is to identify the exact ESXi version running on the host and trigger an exploit for CVE-2025-22226 and CVE-2025-22224, ultimately allowing the attacker to write three payloads directly into VMX's memory - Stage 1 shellcode, to prepare the environment for the VMX sandbox escape  Stage 2 shellcode, to establish a foothold on the ESXi host VSOCKpuppet, a 64-bit ELF backdoor that provides persistent remote access to the ESXi host and communicates over VSOCK (Virtual Sockets) port 10000 "After writing the payloads, the exploit overwrites a function pointer inside VMX," Huntress explained. "It first saves the original pointer value, then overwrites it with the address of the shellcode. The exploit then sends a VMCI message to the host to trigger VMX." VSOCK communication protocol between client.exe and VSOCKpuppet "When VMX handles the message, it follows the corrupted pointer and jumps to the attacker's shellcode instead of legitimate code. This final stage corresponds to CVE-2025-22225, which VMware describes as an 'arbitrary write vulnerability' that allows 'escaping the sandbox.'" Because VSOCK offers a direct communication pathway between guest VMs and the hypervisor, the threat actors have been found to employ a "client.exe" (aka GetShell Plugin) that can be used from any guest Windows VM on the compromised host and send commands back up to the compromised ESXi and interact with the backdoor. The PDB path embedded in the binary reveals it may have been developed in November 2023. The client supports the ability to download files from ESXi to the VM, upload files from the VM to ESXi, and execute shell commands on the hypervisor. Interestingly, the GetShell Plugin is dropped to the Windows VM in the form of a ZIP archive ("Binary.zip"), which also includes a README file with usage instructions, giving an insight into its file transfer and command execution features. It's currently not clear who is behind the toolkit, but the use of simplified Chinese, coupled with the sophistication of the attack chain and the abuse of zero-day vulnerabilities months before public disclosure, likely points to a well-resourced developer operating in a Chinese-speaking region, theorized Huntress. "This intrusion demonstrates a sophisticated, multi-stage attack chain designed to escape virtual machine isolation and compromise the underlying ESXi hypervisor," the company added. "By chaining an information leak, memory corruption, and sandbox escape, the threat actor achieved what every VM administrator fears: full control of the hypervisor from within a guest VM." "The use of VSOCK for backdoor communication is particularly concerning, as it bypasses traditional network monitoring entirely, making detection significantly harder. The toolkit also prioritizes stealth over persistence." Pham, a senior tactical response analyst at Huntress, told The Hacker News that there is no evidence to suggest that the toolkit was advertised or sold on dark web forums, adding that it was deployed in a targeted manner. "However, given the presence of a README file with operational instructions, the toolkit was clearly designed for distribution beyond the original developer," Pham said. "We assess with high confidence that the toolkit is being sold privately by a Chinese-speaking developer, likely through private channels or closed groups rather than public underground markets." "The targeted nature of observed deployments suggests the toolkit may be distributed selectively to vetted buyers rather than broadly commercialized, consistent with higher-end offensive tooling that operators prefer to keep out of widespread propagation to avoid detection signature development." (The story was updated after publication to include additional commentary from Huntress.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  CISA, cybersecurity, hypervisor, network security, ransomware, Threat Intelligence, virtualization, vmware, Vulnerability, zero-day Trending News Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Load More ▼ Popular Resources Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Identity Controls Checklist: Find Missing Protections in Apps