Cybersecurity

Essential Guide: China-linked Hackers Exploit Vmware Esxi Zero-days To Escape...

2026-01-09 0 views admin
Essential Guide: China-linked Hackers Exploit Vmware Esxi Zero-days To Escape...

Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed as far back as February 2024.

Cybersecurity firm Huntress, which observed the activity in December 2025 and stopped it before it could progress to the final stage, said it may have resulted in a ransomware attack.

Most notably, the attack is believed to have exploited three VMware vulnerabilities that were disclosed as zero-days by Broadcom in March 2025: CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1). Successful exploitation of the issue could permit a malicious actor with admin privileges to leak memory from the Virtual Machine Executable (VMX) process or execute code as the VMX process.

That same month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

"The toolkit analyzed [...] also includes simplified Chinese strings in its development paths, including a folder named '全版本逃逸--交付' (translated: 'All version escape - delivery'), and evidence suggesting it was potentially built as a zero-day exploit over a year before VMware's public disclosure, pointing to a well-resourced developer likely operating in a Chinese-speaking region," researchers Anna Pham and Matt Anderson said.

The assessment that the toolkit weaponizes the three VMware shortcomings is based on the exploit's behavior, its use of Host-Guest File System (HGFS) for information leaking, Virtual Machine Communication Interface (VMCI) for memory corruption, and shellcode that escapes to the kernel, the company added.

The toolkit involves multiple components, chief among them being "exploit.exe" (aka MAESTRO), which acts as the orchestrator for the entire virtual machine (VM) escape by making use of the following embedded binaries -

The driver's main responsibility is to identify the exact ESXi version running on the host and trigger an exploit for CVE-2025-22226 and CVE-2025-22224, ultimately allowing the attacker to write three payloads directly into VMX's memory -

"After writing the payloads, the exploit overwrites a function pointer inside VMX," Huntress explained. "It first saves the original pointer value, then overwrites it with the address of the shellcode. The exploit then sends a VMCI message to the host to trigger

Source: The Hacker News

🏷️ Tags

cybersecuritysecurityhackcveransomware

More from Cybersecurity

Anthropic: Viral Claude “banned And Reported To Authorities”

Anthropic: Viral Claude “banned And Reported To Authorities”

2026-01-10 0
Essential Guide: New Deepfake Fraud Tools Are Lagging Behind Expectations 2026

Essential Guide: New Deepfake Fraud Tools Are Lagging Behind Expectations 2026

2026-01-09 0
Essential Guide: Microsoft May Soon Allow It Admins To Uninstall Copilot 2026

Essential Guide: Microsoft May Soon Allow It Admins To Uninstall Copilot 2026

2026-01-09 0
Report: Hackers Target Misconfigured Proxies To Access Paid Llm Services

Report: Hackers Target Misconfigured Proxies To Access Paid Llm Services

2026-01-09 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views