“VM Isolation is Not Absolute”: Researchers Unmask Sophisticated ESXi “Maestro” Exploit

Huntress details a high-impact December 2025 intrusion where attackers escaped a guest VM to fully compromise VMware ESXi hosts using a toolkit (MAESTRO), an unsigned kernel driver (MyDriver.sys) and a stealthy VSOCK-based backdoor (VSOCKpuppet); the report indicates the exploit likely existed as a zero-day since February 2024 and affects a wide range of ESXi builds (5.1–8.0), emphasizing the need for aggressive patching and host-level monitoring.