VMware ESXi Zero-Days Exploited in the Wild for Over a Year Before Discovery

Chinese threat actors successfully exploited critical VMware ESXi vulnerabilities for more than a year before security researchers and vendors became aware of the flaws, according to new analysis that exposes alarming gaps in enterprise threat detection capabilities. The discovery highlights how sophisticated attackers can maintain persistent access to critical virtualization infrastructure while operating completely under the radar of traditional security controls. Huntress researchers analyzing December 2024 attacks found evidence that threat actors had developed and deployed a sophisticated ESXi exploit toolkit as early as February 2024, nearly 13 months before VMware disclosed the vulnerabilities in March 2025. The timeline suggests that some of the world's most critical IT infrastructure remained vulnerable to undetected compromise for an extended period, with potentially widespread implications for enterprise security. ## What Happened The attack chain began with threat actors compromising a SonicWall VPN appliance to gain initial network access. From there, attackers used compromised Domain Administrator credentials to move laterally via RDP to domain controllers, s The sophisticated toolkit consisted of four primary components working in concert to achieve virtual machine escape and establish persistent access to the underlying hypervisor. MAESTRO, the coordination component, disabled VMware VMCI devices and loaded an unsigned kernel driver through KDU while monitoring exploit success. MyDriver.sys, the unsigned kernel driver, executed the actual VM escape through ESXi version detection, memory manipulation, and sandbox escape techniques. Most notably, the attackers deployed VSOCKpuppet, an ELF backdoor that runs directly on the ESXi host and provides command execution and file transfer capabilities over VSOCK connections. This approach allows the backdoor to bypass traditional network monitoring solutions that focus on standard network protocols. A Windows VSOCK client called GetShell Plugin enabled attackers to connect from compromised guest VMs to interact with the hypervisor-level backdoor. The exploit chain targeted three specific VMware vulnerabilities that would later be disclosed as zero-days in March 2025. CVE-2025-22224 received a critical 9.3 CVSS score for a time-of-check-time-of-use (TOCTOU) vulnerability in the Virtual Machine Communication Interface that enables out-of-bounds writes and code execution. CVE-2025-22225, scoring 8.2, provides an arbitrary write vulnerability allowing attackers to escape the VMX sandbox to reach kernel level access. CVE-2025-22226, with a 7.1 score, enables memory leakage from the VMX process through an out-of-bounds read in the Host Guest File System. Huntress researchers discovered compelling forensic evidence pointing to the toolkit's development timeline. PDB paths embedded in exploit binaries contained folders named "2024_02_19" and "2023_11_02," suggesting active development dating back to November 2023. One path included Chinese text translating to "All/Full version escape - delivery," indicating the toolkit was designed to target ESXi 8.0 Update 3 across multiple versions. ## Why It Matters This extended exploitation timeline represents a fundamental breakdown in the security assumptions underlying modern enterprise infrastructure. VMware ESXi serves as the foundation for virtualized environments in countless organizations worldwide, making successful hypervisor compromises particularly devastating. When attackers achieve ESXi-level access, they effectively control every virtual machine running on the host, potentially accessing sensitive data across multiple systems simultaneously. The year-long detection gap reveals critical limitations in current threat hunting and monitoring approaches. Traditional security tools focus heavily on guest operating system activity and network traffic patterns, but sophisticated attackers operating at the hypervisor level can evade these detection mechanisms entirely. The VSOCKpuppet backdoor specifically demonstrates how threat actors can leverage virtualization-specific communication channels to maintain persistent access while avoiding standard network monitoring. The timeline also raises uncomfortable questions about vulnerability disclosure practices and the balance between responsible disclosure and public awareness. While security researchers and vendors typically coordinate disclosure to allow time for patches and defensive measures, this case suggests that sophisticated threat actors may already possess and actively exploit zero-day vulnerabilities for extended periods before the security community becomes aware of them. Enterprise organizations running VMware environments face particularly acute risks given the centralized nature of hypervisor infrastructure. A single compromised ESXi host can provide attackers with access to dozens or hundreds of virtual machines, potentially exposing vast amounts of sensitive data and critical business systems. The modular nature of the discovered toolkit suggests threat actors may be able to rapidly adapt their techniques to target newly discovered vulnerabilities. The attack also demonstrates how initial access vectors like compromised VPN appliances can cascade into much more severe compromises when combined with sophisticated post-exploitation techniques. Organizations that focus primarily on perimeter security while neglecting internal monitoring may find themselves completely blind to hypervisor-level compromises. ## What To Do VMware administrators should immediately prioritize upgrading to the latest ESXi versions that address the disclosed vulnerabilities. However, patching alone is insufficient given the sophisticated nature of these attacks and the likelihood that additional unknown vulnerabilities may exist. Implement enhanced logging and monitoring specifically focused on hypervisor activity. Enable ESXi shell access logging, configure syslog forwarding from ESXi hosts to centralized security information and event management systems, and establish baselines for normal hypervisor resource utilization patterns. Monitor for unusual VMCI device activity, unexpected kernel module loads, and abnormal VSOCK communication patterns that could indicate exploitation attempts. Strengthen network segmentation around virtualization infrastructure by isolating ESXi management networks from general corporate networks and implementing strict access controls for hypervisor administration. Deploy dedicated monitoring solutions that can inspect virtualization-specific protocols and communication channels rather than relying solely on traditional network security tools. Review and harden VPN infrastructure, particularly SonicWall appliances that served as the initial attack vector in this campaign. Implement multi-factor authentication for all VPN access, regularly audit VPN user accounts and access patterns, and consider deploying zero-trust network access solutions that provide more granular control over remote access privileges. Establish or enhance threat hunting programs specifically targeting hypervisor environments. Security teams should develop detection logic for VM escape attempts, unusual hypervisor API calls, and suspicious inter-VM communication patterns. Consider deploying specialized security solutions designed to monitor virtualized environments at the hypervisor level rather than relying exclusively on guest-based agents. Organizations should also evaluate their vulnerability management processes to ensure they can rapidly deploy critical hypervisor patches when disclosed. Given the potential for widespread impact from ESXi compromises, VMware security updates should receive the highest priority in patch deployment schedules. ## Looking Forward This incident serves as a stark reminder that sophisticated threat actors often operate years ahead of public security awareness. The modular nature of the discovered toolkit suggests attackers maintain ongoing research and development capabilities focused on virtualization infrastructure, likely possessing additional zero-day capabilities not yet disclosed. Security teams must fundamentally reconsider their detection and monitoring strategies to account for hypervisor-level threats. The traditional focus on endpoint and network monitoring, while important, proves insufficient against attackers operating at the infrastructure layer. Organizations that fail to adapt their security approaches to address virtualization-specific threats may find themselves vulnerable to undetected compromises lasting months or years. The disclosure also highlights the critical importance of threat intelligence sharing and collaborative security research. Only through industry-wide cooperation can the security community hope to identify and address sophisticated long-term compromises before they cause widespread damage to critical infrastructure. **Tags:** VMware, ESXi, Zero-Day, Virtualization Security, Threat Hunting