InfoSecBulletin Cybersecurity for mankind
Hackers reportedly used a compromised SonicWall VPN appliance to gain access and deploy a VMware ESXi exploit, possibly created as early as February 2024. Huntress, a cybersecurity firm, detected activity in December 2025 and halted it before it escalated into a ransomware attack.
The attack likely took advantage of three VMware zero-day vulnerabilities announced by Broadcom in March 2025: CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1). Exploiting these could allow a malicious actor with admin access to leak memory or run code as the VMX process.
South Korea fines Coupang Record $409 mln fine for data leak
ShinyHunters claim stolen data from 100+ org via oracle PeopleSoft servers
Security Update: RoguePlanet, BitLocker Bypass, Chromium Zero-Day, and More Critical Threats Uncovered
73 Microsoft Packages Compromised in Password Stealer Attack
New Windows Defender ‘RoguePlanet’ zero-day grants SYSTEM privileges
Microsoft June Patches 200 Vulnerabilities including 3 zero days
World’s first wind power underwater data center is now live
VMware Fixed Multiple Flaws Allow Attackers to Inject Malicious Scripts
CVE-2026-50751
Check Point VPN 0-day Flaw Exploited in the WildÂ
AI-designed First ‘universal vaccine’ tested in humans
“The toolkit analyzed […] also includes simplified Chinese strings in its development paths, including a folder named ‘全版本逃逸–交付’ (translated: ‘All version escape – delivery’), and evidence suggesting it was potentially built as a zero-day exploit over a year before VMware’s public disclosure, pointing to a well-resourced developer likely operating in a Chinese-speaking region,” researchers Anna Pham and Matt Anderson said.
The toolkit exploits three vulnerabilities in VMware by using HGFS for data leaks, VMCI for memory corruption, and shellcode that targets the kernel, the company stated.
The toolkit includes several parts, with “exploit.exe” (also known as MAESTRO) being the key component that orchestrates the virtual machine (VM) escape by using the embedded binaries.
- devcon.exe, to disable VMware’s guest-side VMCI drivers
- a kernel driver that exploits a vulnerability in the system, which is loaded into memory using a publicly available tool, after which the exploit’s progression is tracked and the VMCI drivers are re-enabled
The driver helps determine the ESXi version on the host and enables an attack for CVE-2025-22226 and CVE-2025-22224, allowing the attacker to inject three payloads into VMX’s memory –
Stage 1 shellcode, to prepare the environment for the VMX sandbox escape
Stage 2 shellcode, to establish a foothold on the ESXi host
VSOCKpuppet, a 64-bit ELF backdoor that provides persistent remote access to the ESXi host and communicates over VSOCK (Virtual Sockets) port 10000
“After writing the payloads, the exploit overwrites a function pointer inside VMX,” Huntress explained. “It first saves the original pointer value, then overwrites it with the address of the shellcode. The exploit then sends a VMCI message to the host to trigger VMX.”
“When VMX handles the message, it follows the corrupted pointer and jumps to the attacker’s shellcode instead of legitimate code. This final stage corresponds to CVE-2025-22225, which VMware describes as an ‘arbitrary write vulnerability’ that allows ‘escaping the sandbox.'”
VSOCK allows direct communication between guest VMs and hypervisors, enabling threat actors to use a “client.exe” (GetShell Plugin) from any Windows VM on a compromised host to send commands to the ESXi and access the backdoor. The embedded PDB path indicates it might have been created in November 2023.
