Vulnerability Management, Patch/Configuration Management, Threat Intelligence

Trio of VMware ESXi zero-days chained long before disclosure

VMware company brand logo on official website

BleepingComputer reports that attacks spreading a VMware ESXi exploit toolkit which involved a trio of zero-days that were chained more than a year before their disclosure last March have been conducted by Chinese-speaking threat actors last month.

Initial access provided by a breached SonicWall VPN enabled a subsequent pivot to domain controllers and the execution of an exploit chain involving the ESXi bugs, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, to allow virtual machine escape, according to Huntress researchers.

Integrated into the exploit toolkit were MAESTRO payload, which deactivates VMware VMCI devices and tracks exploit success to coordinate VM escape; the unsigned MyDriver.sys kernel driver, which allows VM escape execution; the VSOCKpuppet backdoor, which enables clandestine command execution and file transfers; and the GetShell plugin, which establishes a connection between the breached ESXi host and the guest VM.

Organizations have been urged to implement the latest ESXi updates, while using YARA and Sigma rules for improved threat detection.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds