Chinese-speaking threat actors are suspected of using a compromised SonicWall VPN to deploy a VMware ESXi exploit that may have been developed nearly a year before its public disclosure. Security researchers at Huntress intervened in December 2025 to stop the attack, which utilized a sophisticated toolkit designed for virtual machine escapes and potential ransomware deployment.

Recent investigative findings suggest that a well-resourced group began developing a specialized exploitation toolkit as early as February 2024. This timeline indicates that the attackers possessed functional exploits for critical VMware vulnerabilities long before they were officially identified and patched. The activity was discovered after the actors gained initial access through a vulnerable VPN appliance, highlighting a persistent strategy of targeting edge networking devices to penetrate secure environments.

The intrusion specifically targeted three vulnerabilities within the VMware ecosystem that Broadcom eventually disclosed as zero-days in March 2025. These flaws, categorized under CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, carry high severity scores due to their ability to allow attackers to leak memory or execute code within the virtual machine executable process. Because of the immediate danger posed by these flaws, the Cybersecurity and Infrastructure Security Agency added them to the known exploited vulnerabilities catalog shortly after their discovery.

Internal analysis of the attack tools revealed development paths containing simplified Chinese strings, including a folder name that translates to all version escape delivery. These linguistic markers, combined with the technical sophistication required to maintain a zero-day exploit for over a year, lead researchers to believe the developer is likely operating within a Chinese-speaking region. The toolkit appears to be a highly professional product designed for reliable virtual machine escapes across various software versions.

Technical evidence shows that the exploit relies on a complex chain of interactions involving the host-guest file system and the virtual machine communication interface. By manipulating these components, the malware can trigger memory corruption and execute shellcode that escapes from the guest environment into the host kernel. This process allows a malicious actor with administrative privileges to move beyond the boundaries of a single virtual machine and potentially compromise the entire underlying server infrastructure.

The primary orchestrator of this escape is a binary known as MAESTRO, which manages several secondary components to ensure the exploit succeeds. The process involves using a utility to disable guest-side drivers and deploying an unsigned kernel driver through an open-source loading tool. Once the exploit is successfully loaded into the kernel memory, the system monitors the status of the attack and re-enables the previously disabled drivers to maintain stability and avoid detection while the attackers prepare for the final stages of their operation.

Source: China Linked Hackers Use VMware ESXi Zero Day Flaws To Escape Virtual Machines