ESXi Exploitation in the Wild

In December 2025 Huntress investigated an intrusion where an attacker, likely via a compromised SonicWall VPN, used a multi-stage ESXi VM escape toolkit (MAESTRO + MyDriver.sys) exploiting CVE-2025-22226/22224/22225 to leak VMX memory, execute shellcode, and install a VSOCK-based ELF backdoor (VSOCKpuppet) on ESXi hosts; the toolkit supports 155 ESXi builds (5.1–8.0), uses KDU to load unsigned drivers, and communicates over VSOCK to evade network monitoring. Huntress prevented further impact, published IOCs (file hashes, Yara/Sigma links), and recommends immediate ESXi patching, host-level monitoring (lsof for VMCI sockets), and detection rules for the documented behaviors.