China-Linked Hackers Exploit VMware ESXi Zero-Days to Escape Virtual Machines.

Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed as far back as February 2024.

Cybersecurity firm Huntress, which observed the activity in December 2025 and stopped it before it could progress to the final stage, said it may have resulted in a ransomware attack.

Most notably, the attack is believed to have exploited three VMware vulnerabilities that were disclosed as zero-days by Broadcom in March 2025: CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1). Successful exploitation of the issue could permit a malicious actor with admin privileges to leak memory from the Virtual Machine Executable (VMX) process or execute code as the VMX process.

That same month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

"The toolkit analyzed [...] also includes simplified Chinese strings in its development paths, including a folder named '全版本逃逸--交付' (translated: 'All version escape - delivery'), and evidence suggesting it was potentially built as a zero-day exploit over a year before VMware's public disclosure, pointing to a well-resourced developer likely operating in a Chinese-speaking region," researchers Anna Pham and Matt Anderson said.

-VM Escape exploitation flow

The driver's main responsibility is to identify the exact ESXi version running on the host and trigger an exploit for CVE-2025-22226 and CVE-2025-22224, ultimately allowing the attacker to write three payloads directly into VMX's memory -

• Stage 1 shellcode, to prepare the environment for the VMX sandbox escape

• Stage 2 shellcode, to establish a foothold on the ESXi host

• VSOCKpuppet, a 64-bit ELF backdoor that provides persistent remote access to the ESXi host and communicates over VSOCK (Virtual Sockets) port 10000

"After writing the payloads, the exploit overwrites a function pointer inside VMX," Huntress explained. "It first saves the original pointer value, then overwrites it with the address of the shellcode. The exploit then sends a VMCI message to the host to trigger VMX."

-VSOCK communication protocol between client.exe and VSOCKpuppet

"When VMX handles the message, it follows the corrupted pointer and jumps to the attacker's shellcode instead of legitimate code. This final stage corresponds to CVE-2025-22225, which VMware describes as an 'arbitrary write vulnerability' that allows 'escaping the sandbox.'"

Because VSOCK provides a direct communication channel between guest VMs and the hypervisor, threat actors have been observed using a "client.exe" (aka GetShell Plugin) from any guest Windows VM on the compromised host to send commands back to the compromised ESXi and interact with the backdoor. The PDB path embedded in the binary reveals it may have been developed in November 2023.

The client supports downloading files from ESXi to the VM, uploading files from the VM to ESXi, and executing shell commands on the hypervisor. Interestingly, the GetShell Plugin is deployed to the Windows VM as a ZIP archive ("Binary.zip"), which also includes a README file with usage instructions, providing insight into its file transfer and command execution features.

It's currently unclear who is behind the toolkit. Still, the use of simplified Chinese, coupled with the sophistication of the attack chain and the abuse of zero-day vulnerabilities months before public disclosure, likely points to a well-resourced developer operating in a Chinese-speaking region, Huntress theorized.

"This intrusion demonstrates a sophisticated, multi-stage attack chain designed to escape virtual machine isolation and compromise the underlying ESXi hypervisor," the company added. "By chaining an information leak, memory corruption, and sandbox escape, the threat actor achieved what every VM administrator fears: full control of the hypervisor from within a guest VM."

"The use of VSOCK for backdoor communication is particularly concerning, as it bypasses traditional network monitoring entirely, making detection significantly harder. The toolkit also prioritizes stealth over persistence."

Pham, a senior tactical response analyst at Huntress, told The Hacker News that there is no evidence to suggest that the toolkit was advertised or sold on dark web forums, adding that it was deployed in a targeted manner.

"However, given the presence of a README file with operational instructions, the toolkit was clearly designed for distribution beyond the original developer," Pham said. "We assess with high confidence that the toolkit is being sold privately by a Chinese-speaking developer, likely through private channels or closed groups rather than public underground markets."

"The targeted nature of observed deployments suggests the toolkit may be distributed selectively to vetted buyers rather than broadly commercialized, consistent with higher-end offensive tooling that operators prefer to keep out of widespread propagation to avoid detection signature development."

(The story was updated after publication to include additional commentary from Huntress.)

Found this article interesting? Follow us on Google News, Twitter, and LinkedIn to read more exclusive content we post.