Ethical Hacking News
China-linked hackers have been accused of exploiting three VMware zero-day vulnerabilities to escape virtual machine control, potentially leading to ransomware attacks. The attack is believed to have utilized a compromised SonicWall VPN appliance as an initial entry point. Cybersecurity firm Huntress has reported that the exploit may have resulted in a successful ransomware assault.
The attackers used Host-Guest File System (HGFS) for information leaking, Virtual Machine Communication Interface (VMCI) for memory corruption, and shellcode that escapes to the kernel. The toolkit involved multiple components, including "exploit.exe" (aka MAESTRO), which acted as the orchestrator for the entire virtual machine escape.
The attack is thought to have been carried out by a well-resourced developer operating in a Chinese-speaking region, according to Huntress researchers. CISA has flagged Microsoft Office and HPE OneView bugs as actively exploited.
If you're concerned about your organization's vulnerability to such attacks, it may be worth considering the latest cybersecurity news and resources from The Hacker News, including AI-powered PAM and Zero Trust security strategies.
A compromised SonicWall VPN appliance was used as an entry point to deploy a sophisticated VMware ESXi exploit.The attack exploited three VMware vulnerabilities, including CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1).The exploit was thought to have been developed as far back as February 2024, indicating a well-resourced developer likely operating in a Chinese-speaking region.The toolkit analyzed by researchers included simplified Chinese strings and evidence suggesting it was built as a zero-day exploit over a year before VMware's public disclosure.The attack involved multiple components, including "exploit.exe" (aka MAESTRO), which acted as the orchestrator for the entire virtual machine escape.
China-Linked hackers are accused of utilizing a compromised SonicWall VPN appliance as an initial entry point to deploy a sophisticated VMware ESXi exploit that may have been developed as far back as February 2024. The attack, which was observed by cybersecurity firm Huntress in December 2025 and stopped before it could progress to the final stage, is believed to have resulted in a ransomware assault.
The attack is thought to have exploited three VMware vulnerabilities that were disclosed as zero-days by Broadcom in March 2025: CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1). Successful exploitation of the issue could permit a malicious actor with admin privileges to leak memory from the Virtual Machine Executable (VMX) process or execute code as the VMX process.
It is also worth noting that the United States Cybersecurity and Infrastructure Security Agency (CISA) has included the flaw in its catalog of known exploited vulnerabilities, indicating active exploitation. The toolkit analyzed by researchers Anna Pham and Matt Anderson includes simplified Chinese strings in its development paths, including a folder named '全版本逃逸--交付' (translated: 'All version escape - delivery'), and evidence suggesting it was potentially built as a zero-day exploit over a year before VMware's public disclosure, pointing to a well-resourced developer likely operating in a Chinese-speaking region.
The toolkit weaponizes the three VMware shortcomings by using Host-Guest File System (HGFS) for information leaking, Virtual Machine Communication Interface (VMCI) for memory corruption, and shellcode that escapes to the kernel. The toolkit involves multiple components, chief among them being "exploit.exe" (aka MAESTRO), which acts as the orchestrator for the entire virtual machine (VM) escape by making use of the following embedded binaries:
devcon.exe, to disable VMware's guest-side VMCI drivers
MyDriver.sys, an unsigned kernel driver containing the exploit that's loaded into kernel memory using an open-source tool called Kernel Driver Utility (KDU), following which the exploit status is monitored and the VMCI drivers are re-enabled
The driver's main responsibility is to identify the exact ESXi version running on the host and trigger an exploit for CVE-2025-22226 and CVE-2025-22224, ultimately allowing the attacker to write three payloads directly into VMX's memory:
Stage 1 shellcode, to prepare the environment for the VMX sandbox escape
Stage 2 shellcode, to establish a foothold on the ESXi host
VSOCKpuppet, a 64-bit ELF backdoor that provides persistent remote access to the ESXi host and communicates over VSOCK (Virtual Sockets) port 10000
CISA flags Microsoft Office and HPE OneView bugs as actively exploited.
Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages.
Cisco Patches ISE Security Vulnerability After Public PoC Exploit Release.
China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes.
ThreatsDay Bulletin: RustFS Flaw, Iranian Ops, WebUI RCE, Cloud Leaks, and 12 More Stories.
WhatsApp Worm Spreads Astaroth Banking Trojan Across Brazil via Contact Auto-Messaging.
Popular Resources:
AI-Powered PAM Is Here: How KeeperPAM Redefines Zero Trust Security.
5 Identity Dark Matter Risks Every Organization Overlooks — Read the Full Report.
New Report: How Modern Cybersecurity Is Being Rebuilt from the Ground Up.
Your First Step to CTEM Starts Here — Get Full Attack Surface Visibility.
Cybersecurity Webinars:
Simplify SOC Operations
How AI and Zero Trust Work Together to Catch Attacks With No Files or Indicators
Modern cyberattacks hide in trusted tools and workflows, evading traditional defenses. Zero Trust and AI-powered cloud security give you the visibility and control to stop these invisible threats early.
Register
Stop Blind Trust in IDE AI Tools
How to Audit MCP Servers and Stop Shadow API Key Sprawl in One Sweep
Agentic AI is accelerating development—and risk. MCP servers and shadow API keys are spreading fast across IDEs. Learn how to regain visibility, enforce control, and secure agentic AI before speed turns into breach.
Register
Latest News
Cybersecurity Resources
Zero Trust + AI: Thrive in the AI Era and Remain ResilientZero Trust Everywhere - protection across your workforce, branches, and clouds, and GenAI..
Attacks Are Rising. Are Your Cyber Skills Surge-Ready?Bigger threats, higher stakes. Build resilient SEC401 skills at SANS Surge 2026.
Earn a Master's in Cybersecurity Risk ManagementLead the future of cybersecurity risk management with an online Master's from Georgetown.
Related Information:
https://www.ethicalhackingnews.com/articles/China-Linked-Hackers-Exploit-VMware-ESXi-Zero-Days-to-Escalate-Virtual-Machine-Control-ehn.shtml
https://thehackernews.com/2026/01/chinese-linked-hackers-exploit-vmware.html
Published: Fri Jan 9 13:22:49 2026 by llama3.2 3B Q4_K_M
