What happened
VMware ESXi zero-days likely exploited a year before disclosure according to analysis by managed security firm Huntress, which found evidence of Chinese-speaking threat actors using a compromised SonicWall VPN to deploy an exploit toolkit against VMware ESXi virtualization hosts as early as February 2024. The attackers chained vulnerabilities later disclosed in March 2025—CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226—to perform a virtual machine (VM) escape and gain hypervisor access. Huntress detailed components of the toolkit, including MAESTRO coordinating the VM escape, an unsigned kernel driver (MyDriver.sys), a VSOCK backdoor (VSOCKpuppet), and a client tool for command execution. The initial access vector was pivoting from a SonicWall-compromised Domain Admin account to ESXi hosts. The activity highlights that exploitation likely occurred long before public disclosure and patch availability.Â
Who is affected
Organizations running VMware ESXi hosts and using SonicWall VPN appliances are directly affected by exploitation opportunities tied to these zero-day chains if unpatched; exposure depends on the presence of vulnerable systems.Â
Why CISOs should care
Early exploitation of critical virtualization vulnerabilities can enable hypervisor compromise, lateral movement, and persistent access, underscoring the need for rapid patching, asset visibility, and segmented network access controls.Â
3 practical actions
- Apply patches promptly: Ensure all ESXi hosts and VPN appliances are updated with the latest security fixes.
- Harden access paths: Restrict management and VPN access to trusted networks with multi-factor authentication.
- Monitor hypervisor activity: Use logging and anomaly detection to flag unusual VM escape indicators.