Hackers Exploit VMware ESXi with Zero-Day Toolkit: A Deep Dive into MAESTRO
In a recent cybersecurity incident, threat actors have been observed exploiting VMware ESXi hypervisors using a sophisticated zero-day exploit toolkit, identified as MAESTRO. This toolkit chains multiple vulnerabilities to achieve virtual machine (VM) escapes, allowing attackers to execute code on the host system from within a guest VM. The attack was notably intercepted by cybersecurity firm Huntress, which traced the initial breach to a compromised SonicWall VPN.
Initial Breach and Lateral Movement
The attackers gained initial access through a compromised SonicWall VPN, subsequently leveraging a hijacked Domain Administrator account to move laterally within the network. Their progression included infiltrating backup systems and primary domain controllers. On the primary domain controller, they deployed reconnaissance tools such as Advanced Port Scanner and ShareFinder, utilized WinRAR for data staging, and modified Windows firewall rules to obstruct external outbound traffic while permitting internal lateral movements. Approximately 20 minutes post-deployment of the MAESTRO toolkit, the attackers initiated the ESXi exploit. However, Huntress intervened before the deployment of ransomware, mitigating potential damage.
Anatomy of the MAESTRO Toolkit
The MAESTRO toolkit is a multi-faceted exploit framework designed to disable VMware Virtual Machine Communication Interface (VMCI) drivers using `devcon.exe`, load an unsigned driver via Kernel Driver Utility (KDU) to circumvent Driver Signature Enforcement, and execute the core VM escape exploit. The toolkit’s components include:
– MyDriver.sys: This component queries the ESXi version through the VMware Guest SDK, selects appropriate offsets from a table supporting 155 builds across ESXi versions 5.1 to 8.0, leaks the VMX base via the Host-Guest File System (HGFS) (CVE-2025-22226), corrupts memory through VMCI (CVE-2025-22224), and deploys shellcode to escape the VM sandbox (CVE-2025-22225).
– VSOCKpuppet: A backdoor that hijacks ESXi’s `inetd` service on port 21, enabling root-level execution. It utilizes VSOCK for covert guest-to-host communication, effectively evading detection by traditional network monitoring tools.
Vulnerabilities Exploited
The MAESTRO toolkit exploits the following vulnerabilities:
1. CVE-2025-22226: An out-of-bounds read in HGFS that leaks memory from the VMX process, facilitating information disclosure.
2. CVE-2025-22224: A critical heap-overflow vulnerability in VMCI, allowing attackers with local administrative privileges on a VM to execute code on the underlying host.
3. CVE-2025-22225: An arbitrary write vulnerability in ESXi, enabling attackers with VMX process privileges to write arbitrary kernel data, thereby bypassing sandbox protections.
Indicators of Compromise and Attribution
Analysis of the toolkit’s components revealed development in environments using simplified Chinese, with file paths such as 全版本逃逸–交付 (translated as All version escape-delivery) dated February 2024. This predates Broadcom’s disclosure of these vulnerabilities in March 2025, suggesting that the attackers had access to zero-day exploits well in advance. Additionally, a `client.exe` file from November 2023 indicates a modular approach to the toolkit’s development. References to XLab within tampered VMware drivers further suggest a structured development environment. Huntress has expressed high confidence that the origins of this toolkit are Chinese-speaking, based on the resources and access to zero-day vulnerabilities demonstrated.
Mitigation Strategies
Given the severity of these exploits, organizations utilizing VMware ESXi are urged to:
– Apply Patches Promptly: Ensure that all ESXi instances are updated to the latest versions that address these vulnerabilities.
– Monitor for Anomalies: Regularly check ESXi hosts for unusual processes, especially those involving VSOCK communications, which may indicate the presence of backdoors like VSOCKpuppet.
– Secure VPN Access: Implement robust security measures for VPNs, including multi-factor authentication, to prevent unauthorized access.
– Review Firewall Configurations: Be vigilant for unauthorized changes to firewall rules, as these may be indicative of an ongoing attack.
– Detect Unsigned Drivers: Monitor for the loading of unsigned drivers, which can be a sign of exploit attempts.
Conclusion
The emergence of the MAESTRO toolkit underscores the evolving threat landscape targeting virtualization infrastructures. Attackers are increasingly focusing on hypervisor vulnerabilities to achieve stealthy and persistent access to critical systems. Organizations must adopt a proactive security posture, emphasizing timely patching, continuous monitoring, and comprehensive network security measures to defend against such sophisticated threats.
