BleepingComputer reports that attacks spreading a VMware ESXi exploit toolkit which involved a trio of zero-days that were chained more than a year before their disclosure last March have been conducted by Chinese-speaking threat actors last month.Initial access provided by a breached SonicWall VPN enabled a subsequent pivot to domain controllers and the execution of an exploit chain involving the ESXi bugs, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, to allow virtual machine escape, according to Huntress researchers.Integrated into the exploit toolkit were MAESTRO payload, which deactivates VMware VMCI devices and tracks exploit success to coordinate VM escape; the unsigned MyDriver.sys kernel driver, which allows VM escape execution; the VSOCKpuppet backdoor, which enables clandestine command execution and file transfers; and the GetShell plugin, which establishes a connection between the breached ESXi host and the guest VM.Organizations have been urged to implement the latest ESXi updates, while using YARA and Sigma rules for improved threat detection.
Vulnerability Management, Patch/Configuration Management, Threat Intelligence
Trio of VMware ESXi zero-days chained long before disclosure

(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



