CSC News Table of Contents
VMware ESXi zero-day exploit activity is unfolding in the wild as attackers use a chained toolkit called MAESTRO to escape virtual machines and seize ESXi hosts. Huntress reports it disrupted one live intrusion.
The intrusion started with a compromised SonicWall VPN, escalated through a stolen Domain Admin, and pivoted to domain controllers. Attackers ran reconnaissance, staged data, and altered firewall rules before attempting the ESXi exploit.
Huntress halted the operation about 20 minutes after the toolkit launch, preventing ransomware execution on the hypervisor.
VMware ESXi zero-day exploit: What You Need to Know
- A chained attack enables guest-to-host escape, covert persistence, and root control of ESXi.
- Bitdefender GravityZone – Endpoint protection to disrupt lateral movement and ransomware.
- 1Password Business – Strengthen credentials to reduce privileged account takeover.
- Tenable Vulnerability Management – Prioritize exploitable ESXi and Windows weaknesses.
- IDrive Backups – Immutable offsite backups for ransomware recovery.
- Auvik – Network monitoring for abnormal east west traffic.
- Plesk – Centralized server management with security tooling.
How Huntress Disrupted the Attack
Huntress says the adversary entered through a compromised SonicWall VPN, then used a hijacked Domain Admin to reach backup and primary domain controllers.
On the primary controller, the actor ran Advanced Port Scanner and ShareFinder, staged data with WinRAR, and changed Windows firewall policies to block outbound traffic while preserving internal movement.
Roughly 20 minutes after staging the toolkit, the attacker attempted the VMware ESXi zero-day exploit. Huntress intervened and terminated execution before ransomware could trigger on the hypervisor.
Inside the MAESTRO exploit toolkit
Huntress named the chain the MAESTRO exploit toolkit. The sequence disables VMware VMCI drivers using devcon.exe, invokes KDU to load an unsigned driver that bypasses Driver Signature Enforcement, then launches the escape payload.
The driver MyDriver.sys queries ESXi versions via the VMware Guest SDK and selects offsets across 155 builds from ESXi 5.1 through 8.0.
After escaping the guest, MAESTRO installs a backdoor dubbed VSOCKpuppet. It hijacks ESXi inetd on port 21 to achieve root command execution.
By relying on VSOCK for guest host communications, the channel avoids traditional network tooling and many IDS detections tied to TCP or UDP traffic.
CVE details and attack flow
The campaign combined host guest communication abuse and memory corruption to execute the VMware ESXi zero-day exploit.
- CVE-2025-22226 (CVSS 7.1): Out-of-bounds read in HGFS leaks VMX memory addresses to aid exploitation
- CVE-2025-22224 (CVSS 9.3): Arbitrary write via VMCI enables escape from the VMX sandbox to the kernel
- CVE-2025-22225 (CVSS 8.2): Additional arbitrary write primitive used during sandbox escape
Huntress reports that MyDriver.sys leaks the VMX base through HGFS for CVE-2025-22226, corrupts memory via VMCI for CVE-2025-22224, then loads shellcode to complete the escape for CVE-2025-22225.
Tooling artifacts show simplified Chinese locales, with PDB paths such as “全版本逃逸–交付” and file timestamps as early as November 2023 for a client.exe module.
These precede Broadcom’s VMware advisory on March 4, 2025, suggesting the actor held working exploits before public disclosure of VMware hypervisor vulnerabilities CVE-2025.
For related developments, see Microsoft patching of actively exploited flaws here and ransomware defense practices from Tenable here.
Persistence and evasion on ESXi hosts
Once the VMware ESXi zero-day exploit succeeds, the shellcode deploys VSOCKpuppet and abuses inetd for persistence. Huntress observed post-exploitation cleanup that attempts to restore drivers and revert settings to reduce forensic traces.
Because VSOCK traffic is not visible to conventional network tools, defenders should depend on hypervisor telemetry and host auditing to surface this activity.
Detection and immediate mitigations
Patching remains urgent. Apply ESXi updates as soon as possible. End of life versions will not receive fixes. Refer to VMware guidance at VMware Security Advisories. Track confirmed exploits via CISA KEV. These steps reduce exposure to any VMware ESXi zero-day exploit.
Huntress advises the following operational checks to counter a VMware ESXi zero-day exploit chain:
- On ESXi, run “lsof -a” to find unexpected VSOCK processes or inetd services on port 21
- On Windows, monitor for Bring Your Own Driver loaders like KDU and unsigned driver activity
- Alert on firewall policy changes that block outbound traffic while permitting internal movement
- Harden and monitor VPNs. See VPN risk context here
For ongoing technical analysis and indicators, see the Huntress Blog. Staying current helps teams spot signatures consistent with a VMware ESXi zero-day exploit.
Implications for virtualized environments
A successful VMware ESXi zero-day exploit breaks the trust boundary between guest and host. Attackers can gain root on the hypervisor, tamper with backups, and push ransomware across concentrated workloads.
Organizations running out of support ESXi face elevated risk due to absent fixes.
Defenders benefit from layered security that combines EDR, identity controls, vulnerability management, and rapid patching. Coordinated operations can disrupt a VMware ESXi zero-day exploit midstream.
The Huntress response shows that visibility, speed, and discipline can blunt impact even when attackers leverage fresh vulnerabilities.
- Tenable Exposure Management – Map exposure across assets and identities.
- Passpack – Shared vaults and MFA for admin teams.
Conclusion
Huntress identified the MAESTRO exploit toolkit as a mature chain that delivers a VMware ESXi zero-day exploit, plants covert persistence, and prepares ransomware.
Teams should patch ESXi, monitor for unsigned drivers and KDU, and scrutinize firewall changes and VSOCK activity. Rapid adherence to vendor advisories reduces exposure to a VMware ESXi zero-day exploit.
Assume the hypervisor can be compromised and plan containment. With tested backups, segmentation, and rehearsed response, organizations can withstand a VMware ESXi zero-day exploit and recover quickly.
Questions Worth Answering
What is the MAESTRO exploit toolkit?
It is a chained toolkit that disables VMCI, uses KDU to load an unsigned driver, escapes the VM sandbox, then installs a VSOCK based backdoor on ESXi.
How did attackers gain initial access?
Huntress attributes access to a compromised SonicWall VPN, followed by use of a stolen Domain Admin for lateral movement to domain controllers.
Which ESXi versions are affected?
The toolkit includes offsets for 155 ESXi builds from 5.1 through 8.0, suggesting broad version coverage.
What are the key CVEs in this attack?
CVE-2025-22226 leaks VMX memory via HGFS. CVE-2025-22224 and CVE-2025-22225 provide arbitrary write primitives that enable sandbox escape.
How can defenders detect this activity?
Watch for unsigned drivers and KDU on Windows, VSOCK processes on ESXi using “lsof -a,” firewall changes, and unexpected inetd usage on port 21.
Did ransomware execute on the ESXi host?
No. Huntress disrupted the operation about 20 minutes after toolkit deployment, before ransomware execution on the hypervisor.
What should organizations do now?
Patch ESXi urgently, secure VPN endpoints, monitor for BYOD loaders, and track VMware hypervisor vulnerabilities CVE-2025 in advisories and KEV.
About Huntress
Huntress is a cybersecurity company that delivers managed detection and response for small and midsize enterprises.
The company provides threat hunting, incident response, and research focused on emerging attacker tradecraft.
Huntress regularly publishes technical analyses and indicators to help defenders identify active intrusions.
