Wednesday , July 1 2026
ESXi

Hackers Exploit VMware ESXi Zero-Days to Escape Virtual Machines

Hackers reportedly used a compromised SonicWall VPN appliance to gain access and deploy a VMware ESXi exploit, possibly created as early as February 2024. Huntress, a cybersecurity firm, detected activity in December 2025 and halted it before it escalated into a ransomware attack.

The attack likely took advantage of three VMware zero-day vulnerabilities announced by Broadcom in March 2025: CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1). Exploiting these could allow a malicious actor with admin access to leak memory or run code as the VMX process.

Azure CLI Password Spray Impacts 78 Microsoft Accounts in 81M+ Attempts

Cybersecurity researchers have warned of a "massive, ongoing, automated password spray attack" aimed at Microsoft's Azure command-line interface (CLI), compromising...
Read More
Azure CLI Password Spray Impacts 78 Microsoft Accounts in 81M+ Attempts

Chrome Update Patches 382 Vulnerabilities, Including 15 Critical

Chrome 151 has a new update that fixes 382 security problems. This includes 15 critical issues that could allow attackers...
Read More
Chrome Update Patches 382 Vulnerabilities, Including 15 Critical

Apple fixes more than 30 iOS, macOS, and Safari flaws

Apple released security updates on Monday for iOS, macOS, and Safari. These updates fix more than thirty issues, including four...
Read More
Apple fixes more than 30 iOS, macOS, and Safari flaws

Attackers exploit critical flaw in Oracle E-Business

Attackers are now using a flaw (called CVE-2026-46817) in the Oracle E-Business Suite (EBS) financial app, according to the security...
Read More
Attackers exploit critical flaw in Oracle E-Business

WhatsApp to allow usernames instead of phone numbers

WhatsApp is about to release a big update that may change how people communicate on the app. Soon, users can...
Read More
WhatsApp to allow usernames instead of phone numbers

Linux Unveils New Open Source Security Project “Akrites” For (OSS) Ecosystem

The Linux Foundation said on Thursday that they are starting a new project to fix flaws in open source software...
Read More
Linux Unveils New Open Source Security Project “Akrites” For (OSS) Ecosystem

Data breach affects 14.2 million email logins across six ISPs

KDDI Corporation, a Japanese telecom company, revealed a data breach. Hackers got into one of its email systems that five...
Read More
Data breach affects 14.2 million email logins across six ISPs

Asian Two AI startups launch Mythos-like Model

Two Asian AI companies have released new models this week that compete with Anthropic’s recently limited Mythos and Fable models,...
Read More
Asian Two AI startups launch Mythos-like Model

Polymarket Hack Reportedly Results in $3 Million Theft

Polymarket is a platform for prediction markets using cryptocurrency. It lets users bet on what might happen in real-life events...
Read More
Polymarket Hack Reportedly Results in $3 Million Theft

Anthropic Confirms US Infrastructure Redeployment of Claude Mythos 5

Anthropic said that Claude Mythos 5, its strongest AI security model, will be sent back to some U.S. orgs that...
Read More
Anthropic Confirms US Infrastructure Redeployment of Claude Mythos 5

“The toolkit analyzed […] also includes simplified Chinese strings in its development paths, including a folder named ‘全版本逃逸–交付’ (translated: ‘All version escape – delivery’), and evidence suggesting it was potentially built as a zero-day exploit over a year before VMware’s public disclosure, pointing to a well-resourced developer likely operating in a Chinese-speaking region,” researchers Anna Pham and Matt Anderson said.

The toolkit exploits three vulnerabilities in VMware by using HGFS for data leaks, VMCI for memory corruption, and shellcode that targets the kernel, the company stated.

VM Escape exploitation flow Source: Huntress

The toolkit includes several parts, with “exploit.exe” (also known as MAESTRO) being the key component that orchestrates the virtual machine (VM) escape by using the embedded binaries.

  • devcon.exe, to disable VMware’s guest-side VMCI drivers
  • a kernel driver that exploits a vulnerability in the system, which is loaded into memory using a publicly available tool, after which the exploit’s progression is tracked and the VMCI drivers are re-enabled

The driver helps determine the ESXi version on the host and enables an attack for CVE-2025-22226 and CVE-2025-22224, allowing the attacker to inject three payloads into VMX’s memory –

Stage 1 shellcode, to prepare the environment for the VMX sandbox escape
Stage 2 shellcode, to establish a foothold on the ESXi host

VSOCK communication protocol between client.exe and VSOCKpuppet

VSOCKpuppet, a 64-bit ELF backdoor that provides persistent remote access to the ESXi host and communicates over VSOCK (Virtual Sockets) port 10000

“After writing the payloads, the exploit overwrites a function pointer inside VMX,” Huntress explained. “It first saves the original pointer value, then overwrites it with the address of the shellcode. The exploit then sends a VMCI message to the host to trigger VMX.”

“When VMX handles the message, it follows the corrupted pointer and jumps to the attacker’s shellcode instead of legitimate code. This final stage corresponds to CVE-2025-22225, which VMware describes as an ‘arbitrary write vulnerability’ that allows ‘escaping the sandbox.'”

VSOCK allows direct communication between guest VMs and hypervisors, enabling threat actors to use a “client.exe” (GetShell Plugin) from any Windows VM on a compromised host to send commands to the ESXi and access the backdoor. The embedded PDB path indicates it might have been created in November 2023.

Check Also

CVE-2026-20230

Cisco Unified CM flaw CVE-2026-20230 exploited in attacks

A serious SSRF flaw, called CVE-2026-20230, in Cisco Unified Communications Manager Server is now being …