Chinese APT Used VMware ESXi Zero-Days to Escape VMs

Security researchers at Huntress revealed a sophisticated attack toolkit designed to escape VMware ESXi virtual machines and establish persistent access on hypervisors. The attackers, suspected to be Chinese-speaking based on code artifacts, exploited three VMware vulnerabilities disclosed as zero-days in March 2025—and may have developed the capability more than a year before Broadcom's public disclosure.

The discovery confirms that advanced threat actors targeted VMware hypervisor vulnerabilities significantly earlier than previously understood. Organizations that delayed patching after the March 2025 advisory may have already been compromised.

TL;DR

• What happened: Chinese-speaking threat actors developed a VM escape toolkit exploiting VMware ESXi vulnerabilities
• Who's affected: Organizations running VMware ESXi, particularly those also using SonicWall VPNs
• Severity: Critical - Full hypervisor compromise enables access to all guest VMs
• Action required: Verify VMware patches applied, audit SonicWall VPN access logs, hunt for IOCs

How MAESTRO Works

Huntress dubbed the exploitation toolkit "MAESTRO" after strings found in the codebase. The attack chain begins with a compromised SonicWall VPN appliance providing initial access, then escalates through a carefully orchestrated sequence targeting the VMware hypervisor.

The toolkit exploits three vulnerabilities that Broadcom added to CISA's Known Exploited Vulnerabilities catalog in March 2025:

CVE-2025-22224 (CVSS 9.3) allows memory leakage from the VMX process—the userspace component handling virtual machine operations on the hypervisor. Attackers use this to read sensitive memory contents.

CVE-2025-22225 (CVSS 8.2) provides arbitrary write capability, enabling sandbox escape from the guest VM to the host hypervisor.

CVE-2025-22226 (CVSS 7.1) delivers code execution as the VMX process, completing the escape.

Once inside the hypervisor, MAESTRO deploys VSOCKpuppet—a 64-bit ELF backdoor maintaining persistent access through VSOCK port 10000. This backdoor enables bidirectional communication between guest VMs and the compromised hypervisor.

Technical Chain of Exploitation

The attack follows a methodical progression. After compromising a SonicWall VPN appliance for initial network access, attackers use the Kernel Driver Utility (KDU) to load an unsigned kernel driver (MyDriver.sys) on a Windows guest VM.

The malware then manipulates VMware guest-side VMCI drivers using devcon.exe, cycling the driver state to prepare for exploitation. Three shellcode stages are written into VMX process memory through the vulnerabilities, overwriting function pointers to redirect execution flow.

From the hypervisor, attackers gain capabilities most defenders don't anticipate: downloading files from ESXi to guest VMs, uploading files in the opposite direction, executing remote shell commands on the hypervisor, and operating across multiple guest VMs simultaneously via VSOCK communication.

Attribution Signals

Huntress stopped short of definitive attribution, but the evidence points toward Chinese-speaking operators. The toolkit contains simplified Chinese strings including a folder named "全版本逃逸--交付" (translated as "All version escape - delivery"). Development paths in the code reference Chinese characters throughout.

More concerning than the language indicators is the apparent timeline. Researchers found evidence suggesting zero-day development "over a year before VMware's public disclosure" in March 2025. This indicates a well-resourced actor with advanced vulnerability research capabilities—consistent with state-sponsored operations rather than criminal groups.

The use of SonicWall VPN appliances for initial access aligns with previous campaigns by Chinese APT groups targeting network edge devices. These devices provide ideal footholds: they're exposed to the internet, often run outdated firmware, and security teams frequently overlook their logs.

Why Hypervisor Escapes Matter

Virtual machine escape vulnerabilities represent the nightmare scenario for virtualized infrastructure. A single compromised guest VM becomes the launch point for accessing every other VM on the same hypervisor—and potentially pivoting to other hypervisors in the cluster.

Organizations running financial systems, healthcare databases, or government applications alongside less sensitive workloads face cascading compromise risk. The hypervisor layer was supposed to provide isolation; MAESTRO demonstrates that isolation isn't absolute.

Detection proves difficult because the malicious activity occurs at the hypervisor layer, below where most security tools operate. Standard endpoint detection and response solutions running inside guest VMs can't observe hypervisor-level backdoors.

Recommended Actions

1. Verify patching status - Confirm VMware ESXi systems received March 2025 patches for CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226
2. Audit SonicWall VPN logs - Review for unauthorized access, unusual connection patterns, or suspicious administrative activity
3. Hunt for VSOCK indicators - Monitor for unusual VSOCK communications on port 10000
4. Inspect unsigned drivers - Look for MyDriver.sys or other suspicious kernel drivers on Windows guest VMs
5. Review VMX process behavior - Unusual memory patterns or function pointer modifications may indicate compromise

Organizations without visibility into hypervisor-level activity should consider engaging incident response specialists if they run unpatched VMware infrastructure alongside SonicWall VPN appliances.