China-Linked Hackers Exploit VMware ESXi Zero-Days to Escape Virtual Machines

Jan 09, 2026Ravie LakshmananVirtualization / Vulnerability

Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed as far back as February 2024.

Cybersecurity firm Huntress, which observed the activity in December 2025 and stopped it before it could progress to the final stage, said it may have resulted in a ransomware attack.

Most notably, the attack is believed to have exploited three VMware vulnerabilities that were disclosed as zero-days by Broadcom in March 2025: CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1). Successful exploitation of the issue could permit a malicious actor with admin privileges to leak memory from the Virtual Machine Executable (VMX) process or execute code as the VMX process.

That same month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

“The toolkit analyzed […] also includes simplified Chinese strings in its development paths, including a folder named ‘全版本逃逸–交付’ (translated: ‘All version escape – delivery’), and evidence suggesting it was potentially built as a zero-day exploit over a year before VMware’s public disclosure, pointing to a well-resourced developer likely operating in a Chinese-speaking region,” researchers Anna Pham and Matt Anderson said.

The assessment that the toolkit weaponizes the three VMware shortcomings is based on the exploit’s behavior, its use of Host-Guest File System (HGFS) for information leaking, Virtual Machine Communication Interface (VMCI) for memory corruption, and shellcode that escapes to the kernel, the company added.

• devcon.exe, to disable VMware’s guest-side VMCI drivers
• MyDriver.sys, an unsigned kernel driver containing the exploit that’s loaded into kernel memory using an open-source tool called Kernel Driver Utility (KDU), following which the exploit status is monitored and the VMCI drivers are re-enabled

VM Escape exploitation flow

The driver’s main responsibility is to identify the exact ESXi version running on the host and trigger an exploit for CVE-2025-22226 and CVE-2025-22224, ultimately allowing the attacker to write three payloads directly into VMX’s memory –

• Stage 1 shellcode, to prepare the environment for the VMX sandbox escape
• Stage 2 shellcode, to establish a foothold on the ESXi host
• VSOCKpuppet, a 64-bit ELF backdoor that provides persistent remote access to the ESXi host and communicates over VSOCK (Virtual Sockets) port 10000

“After writing the payloads, the exploit overwrites a function pointer inside VMX,” Huntress explained. “It first saves the original pointer value, then overwrites it with the address of the shellcode. The exploit then sends a VMCI message to the host to trigger VMX.”

VSOCK communication protocol between client.exe and VSOCKpuppet

“When VMX handles the message, it follows the corrupted pointer and jumps to the attacker’s shellcode instead of legitimate code. This final stage corresponds to CVE-2025-22225, which VMware describes as an ‘arbitrary write vulnerability’ that allows ‘escaping the sandbox.'”

Because VSOCK offers a direct communication pathway between guest VMs and the hypervisor, the threat actors have been found to employ a “client.exe” (aka GetShell Plugin) that can be used from any guest Windows VM on the compromised host and send commands back up to the compromised ESXi and interact with the backdoor. The PDB path embedded in the binary reveals it may have been developed in November 2023.

The client supports the ability to download files from ESXi to the VM, upload files from the VM to ESXi, and execute shell commands on the hypervisor. Interestingly, the GetShell Plugin is dropped to the Windows VM in the form of a ZIP archive (“Binary.zip”), which also includes a README file with usage instructions, giving an insight into its file transfer and command execution features.

It’s currently not clear who is behind the toolkit, but the use of simplified Chinese, coupled with the sophistication of the attack chain and the abuse of zero-day vulnerabilities months before public disclosure, likely points to a well-resourced developer operating in a Chinese-speaking region, theorized Huntress.

“This intrusion demonstrates a sophisticated, multi-stage attack chain designed to escape virtual machine isolation and compromise the underlying ESXi hypervisor,” the company added. “By chaining an information leak, memory corruption, and sandbox escape, the threat actor achieved what every VM administrator fears: full control of the hypervisor from within a guest VM.”

“The use of VSOCK for backdoor communication is particularly concerning, it bypasses traditional network monitoring entirely, making detection significantly harder. The toolkit also prioritizes stealth over persistence.”