Cybersecurity firm Huntress discovered Chinese-linked threat actors exploiting VMware ESXi zero-days to escape virtual machines and compromise hypervisors. Evidence suggests the exploit toolkit—dubbed MAESTRO—was built as early as February 2024, a full year before VMware publicly disclosed the vulnerabilities in March 2025.
Campaign overview
| Attribute | Details |
|---|
| Discovery | Huntress |
| Toolkit name | MAESTRO |
| Vulnerabilities | CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 |
| Development date | February 2024 (estimated) |
| Observed exploitation | December 2025 |
| Attribution | Chinese-speaking region (assessed) |
| ESXi versions supported | 155 builds (5.1 through 8.0) |
| Exposed instances | 30,000+ globally |
Timeline
| Date | Event |
|---|
| February 2024 | Estimated MAESTRO toolkit development |
| March 2025 | VMware publicly discloses CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 |
| March 2025 | Patches released for ESXi 7.x and 8.x |
| December 2025 | Huntress observes active exploitation |
| January 8, 2026 | Shadowserver identifies 30,000+ exposed ESXi instances |
| January 9, 2026 | Huntress publishes analysis |
Vulnerabilities exploited
The attack chains three VMware flaws disclosed as zero-days in March 2025:
| CVE | CVSS | Type | Description |
|---|
| CVE-2025-22224 | 9.3 | TOCTOU → OOB Write | Race condition in VMCI leading to out-of-bounds write; code execution as VMX |
| CVE-2025-22225 | 8.2 | Arbitrary Write | VMX sandbox escape to ESXi kernel via arbitrary write primitive |
| CVE-2025-22226 | 7.1 | OOB Read | Information leak in HGFS; leaks VMX process memory to bypass ASLR |
Together, these enable full VM escape—breaking out of a guest virtual machine to control the hypervisor.
Exploitation chain
| Step | Vulnerability | Action |
|---|
| 1 | CVE-2025-22226 | Leak VMX memory to defeat ASLR |
| 2 | CVE-2025-22224 | Exploit VMCI TOCTOU for code execution in VMX |
| 3 | CVE-2025-22225 | Escape VMX sandbox to ESXi kernel |
| 4 | — | Deploy VSOCKpuppet backdoor |
The attack chain (December 2025)
Huntress observed and stopped the attack before completion:
| Phase | Action | Details |
|---|
| 1 | Initial access | Compromised SonicWall VPN appliance |
| 2 | Credential theft | Obtained Domain Admin account |
| 3 | Lateral movement | Pivoted via RDP across network |
| 4 | Staging | Prepared data for exfiltration |
| 5 | VM escape | Deployed MAESTRO toolkit |
| 6 | Hypervisor compromise | Gained control of ESXi host |
| 7 | Intended goal | Likely ransomware deployment (stopped) |
The toolkit contains four components working together:
MAESTRO (exploit.exe)
The orchestrator that coordinates the VM escape:
| Function | Description |
|---|
| Driver management | Disables VMware VMCI devices with devcon.exe |
| Driver loading | Loads unsigned exploit driver via KDU |
| Exploitation | Monitors exploit success across components |
| Cleanup | Restores drivers after exploitation |
| Version detection | Identifies ESXi build for appropriate offsets |
MyDriver.sys
Unsigned kernel driver that executes the escape:
| Capability | Details |
|---|
| ESXi version detection | Identifies target build |
| VMX memory leakage | Exploits CVE-2025-22226 |
| VMCI exploitation | Triggers CVE-2025-22224 |
| Sandbox escape | Leverages CVE-2025-22225 |
| Build support | 155 ESXi builds (versions 5.1–8.0) |
The driver includes hardcoded offsets for 155 different ESXi builds, demonstrating significant reverse engineering investment.
VSOCKpuppet
ELF backdoor running on the compromised ESXi host:
| Feature | Description |
|---|
| Communication | VSOCK (VM-to-hypervisor interface) |
| Command execution | Full shell access on ESXi |
| File transfer | Upload/download capabilities |
| Stealth | Invisible to network monitoring |
| Persistence | Survives VM operations |
GetShell Plugin (client.exe)
Windows VSOCK client for communication:
| Function | Description |
|---|
| Connection | Establishes VSOCK link to VSOCKpuppet |
| Control | Sends commands to compromised ESXi |
| Access | Enables persistent access from any guest VM |
VSOCKpuppet: The invisible backdoor
VSOCKpuppet deserves special attention. Rather than using traditional network sockets, it communicates over VSOCK—VMware’s high-speed interface for guest-to-hypervisor communication.
Why VSOCK is dangerous
| Factor | Implication |
|---|
| No network visibility | VSOCK traffic doesn’t traverse network interfaces |
| Firewall bypass | Firewalls don’t filter VSOCK connections |
| IDS/IPS blind spot | Security systems can’t inspect this traffic |
| EDR limitations | Most endpoint agents don’t monitor VSOCK |
| IR challenges | Standard forensics may miss the backdoor |
Detection challenges
| Traditional tool | Visibility |
|---|
| Network monitoring | None |
| Firewall logs | None |
| NetFlow/IPFIX | None |
| Packet capture | None |
| ESXi host monitoring | Possible with specialized tools |
Attribution
Huntress assesses the developer is likely operating in a Chinese-speaking region:
| Evidence | Details |
|---|
| Language strings | Simplified Chinese in development paths |
| Folder name | ”全版本逃逸—交付” (“All version escape — delivery”) |
| Sophistication | Well-resourced development over extended period |
| Zero-day access | Pre-disclosure exploitation indicates state-level capabilities |
| Target selection | Consistent with espionage objectives |
| Development timeline | Year-long lead time suggests formal program |
The combination of pre-disclosure zero-day access, extensive version support (155 builds), and sophisticated evasion techniques points to a well-funded operation.
Internet exposure
Shadowserver Foundation data (January 8, 2026) shows significant exposure:
| Metric | Value |
|---|
| Internet-exposed ESXi instances | 30,000+ |
| Vulnerable to CVE-2025-22224 | Majority of exposed instances |
| Running EOL versions (5.x, 6.x) | Significant portion |
| Geographic concentration | Enterprise data centers, hosting providers |
Affected versions
| Version | Patch status | Recommendation |
|---|
| ESXi 8.0 | Patch available | Update immediately |
| ESXi 7.0 | Patch available | Update immediately |
| ESXi 6.7 | End-of-life | Migrate to supported version |
| ESXi 6.5 | End-of-life | Migrate to supported version |
| ESXi 6.0 | End-of-life | Migrate to supported version |
| ESXi 5.x | End-of-life | Migrate to supported version |
The MAESTRO toolkit supports 155 builds across all these versions.
Detection guidance
YARA rules
Huntress published YARA rules for detecting MAESTRO components:
| Rule | Detects |
|---|
| MAESTRO_Orchestrator | exploit.exe main binary |
| MyDriver_ESXi_Exploit | Unsigned kernel driver |
| VSOCKpuppet_Backdoor | ESXi ELF backdoor |
| GetShell_Client | Windows VSOCK client |
Sigma rules
| Rule | Detection |
|---|
| ESXi exploitation artifacts | Unusual driver loading patterns |
| VSOCK communication anomalies | Unexpected VSOCK usage |
| Post-exploitation behavior | Lateral movement indicators |
Manual hunting
| Location | What to look for |
|---|
| Guest VMs | exploit.exe, client.exe, MyDriver.sys |
| ESXi hosts | Unexpected ELF binaries in /tmp or /var |
| Network | RDP from unusual sources |
| AD | Domain Admin usage anomalies |
Recommendations
| Priority | Action |
|---|
| Critical | Patch ESXi 7.0 and 8.0 immediately |
| Critical | Migrate off ESXi 6.x and 5.x — No patches available |
| Critical | Audit SonicWall VPNs — Common initial access vector |
| High | Hunt for VSOCKpuppet — Check ESXi hosts for unexpected ELF binaries |
| High | Review Domain Admin accounts — Attackers pivoted using compromised credentials |
Network security
| Control | Purpose |
|---|
| VPN patching | Address SonicWall and similar vulnerabilities |
| Network segmentation | Isolate hypervisor management networks |
| Access controls | Restrict ESXi management to jump hosts |
| MFA | Require for all administrative access |
Monitoring
| Capability | Implementation |
|---|
| ESXi host integrity | Monitor for unexpected binaries |
| VSOCK auditing | Enable if available |
| Behavioral analysis | Detect unusual hypervisor activity |
| Driver loading | Alert on unsigned driver installation |
Context
This attack demonstrates that:
| Reality | Implication |
|---|
| VM isolation is not absolute | Escape is possible with right vulnerabilities |
| Zero-days exploited before disclosure | Sophisticated actors have year-long advantages |
| Hypervisor compromise is catastrophic | All guest VMs are compromised |
| EOL software is indefensible | No patches means no protection |
| VSOCK creates blind spots | Traditional monitoring misses this traffic |
The MAESTRO toolkit’s support for 155 ESXi builds—spanning nearly a decade of releases—shows the level of investment sophisticated threat actors make in maintaining exploitation capabilities. Organizations running VMware infrastructure should treat this as a wake-up call to patch aggressively, migrate off unsupported versions, and implement monitoring that can detect hypervisor-level compromise.
