Chinese-speaking threat actors exploited a SonicWall VPN to deliver a VMware ESXi exploit toolkit developed over a year before vulnerabilities became public. The attack involved sophisticated VM escape techniques using multiple zero-day vulnerabilities, potentially allowing attackers to compromise hypervisors and extract data. #SonicWallVPN #VMwareZeroDays
Keypoints
- Threat actors used a compromised SonicWall VPN to gain initial access.
- The exploit toolkit targeted VMware ESXi vulnerabilities disclosed in March 2025.
- Multiple zero-day flaws, including CVE-2025-22226, CVE-2025-22224, and CVE-2025-22225, were exploited for VM escape.
- The toolkit involved components like MAESTRO, MyDriver.sys, VSOCKpuppet, and GetShell plugin.
- Development clues suggest the toolkit was created around February 2024, indicating advanced forethought.