Chinese-speaking attackers used a hacked SonicWall VPN to deploy ESXi zero-days that were likely exploited over a year before public disclosure.
Chinese-speaking attackers were seen abusing a hacked SonicWall VPN to deliver a toolkit targeting VMware ESXi.
The exploit chain included a sophisticated VM escape and appears to have been developed more than a year before the related VMware flaws were publicly disclosed. Analysis of attacks observed in December 2025 suggests the group had early knowledge of three ESXi zero-day vulnerabilities later revealed in March 2025, indicating long-term, covert exploitation of unknown flaws.
In December 2025, Huntress researchers detected an intrusion that led to the deployment of a VMware ESXi exploit toolkit, with initial access attributed to a compromised SonicWall VPN.
Evidence such as simplified Chinese strings and build paths suggests the toolkit was likely developed as a zero-day more than a year before VMware publicly disclosed the flaws, pointing to a well-resourced Chinese-speaking actor.
The attackers laterally moved using Domain Admin credentials, performed reconnaissance, modified firewall rules to block external access while preserving internal movement, and staged data for exfiltration. The toolkit targeted up to 155 ESXi builds and enabled VM escape via disabled VMCI drivers and unsigned kernel drivers, potentially paving the way for ransomware. The attack was ultimately stopped before impact.
VMware’s March 2025 advisory VMSA‑2025‑0004 fixed three zero‑days actively exploited in the wild that enable ESXi VM escape and code execution:
- CVE-2025-22226 (CVSS 7.1): An out-of-bounds read in HGFS that allows leaking memory from the VMX process
- CVE-2025-22224 (CVSS 9.3): A TOCTOU vulnerability in VMCI leading to an out-of-bounds write, allowing code execution as the VMX process
- CVE-2025-22225 (CVSS 8.2): An arbitrary write vulnerability in ESXi that allows escaping the VMX sandbox to the kernel
The threat actors rely on an orchestrator called MAESTRO to manage a full VMware ESXi VM escape. It disables VMCI drivers, loads an unsigned exploit driver via BYOD techniques, and coordinates exploitation. The driver leaks VMX memory to bypass ASLR, abuses HGFS and VMCI flaws, writes shellcode into the VMX process, and escapes to the ESXi kernel. It then deploys a stealthy VSOCK-based backdoor (VSOCKpuppet), enabling persistent remote control of the hypervisor from guest VMs while evading traditional network monitoring and restoring drivers to reduce detection.
Huntress researchers found evidence that the exploit chain may have been used since at least February 2024.
“The exploit binaries contain PDB paths that offer insight into the development environment.” reads the report published by Huntress.
“MyDriver.sys:
- C:\Users\test\Desktop\2024_02_19\全版本逃逸–交付\report\ESXI_8.0u3\
The folder name translates to “All version escape – delivery”, suggesting this was a packaged deliverable targeting ESXi 8.0 Update 3. The date in the path (February 19, 2024) predates VMware’s public disclosure by over a year, confirming this was developed as a potential zero-day exploit.”
The toolkit shows mixed clues about its origin. Development paths include simplified Chinese, but the README is written in English, suggesting it may have been built for wider distribution or sale. Driver files reference “XLab,” a generic name that could be coincidental, with no confirmed link to any organization. Overall, the use of Chinese artifacts, high technical sophistication, and possible access to zero-day exploits well before disclosure point to a well-funded developer likely operating in a Chinese-speaking region.
“This intrusion demonstrates a sophisticated, multi-stage attack chain designed to escape virtual machine isolation and compromise the underlying ESXi hypervisor. By chaining an information leak, memory corruption, and sandbox escape, the threat actor achieved what every VM administrator fears: full control of the hypervisor from within a guest VM.” concludes the report. “The development timeline revealed in the PDB paths tells us that this exploit potentially existed as a zero-day for over a year before VMware’s public disclosure, highlighting the persistent threat posed by well-resourced actors with access to unpatched vulnerabilities.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day)
