China-Linked Hackers Exploit VMware ESXi Zero-Days to Escape Virtual Machines
A
Anonymous 19 days ago
126 views
25 nodes
https://thehackernews.com/2026/01/chinese-linked-hackers-exploit-vmware.html
: Compromised SonicWall VPN appliance used as initial access vector. : Initial entry point for attackers. : VMware ESXi vulnerability with CVSS 9.3, allows memory leak and code execution. : VMware ESXi arbitrary write vulnerability with CVSS 8.2, allows sandbox escape. : VMware ESXi vulnerability with CVSS 7.1. : Attack chains three VMware ESXi zero-day vulnerabilities. : Orchestrator for VM escape exploitation containing embedded binaries. : Used to disable VMware's guest-side VMCI drivers. : Unsigned kernel driver containing the exploit, loaded into kernel memory. : Open-source tool used to load unsigned kernel driver. : Disable VMware VMCI drivers to facilitate exploitation. : Exploit CVE-2025-22226 and CVE-2025-22224 to escalate privileges and write payloads to VMX memory. : Target hypervisor system. : Prepares environment for VMX sandbox escape. : Establishes foothold on ESXi host. : 64-bit ELF backdoor providing persistent remote access to ESXi host via VSOCK port 10000. : VM escape achieved by overwriting function pointer in VMX and triggering corrupted pointer. : Deploy backdoor on ESXi hypervisor for persistent access. : Client tool for communicating with VSOCKpuppet backdoor from guest VM, developed November 2023. : Use VSOCK protocol for communication between guest VM and hypervisor, bypassing network monitoring. : Virtual socket port used for backdoor communication. : Download and upload files between VM and ESXi host. : Execute shell commands on ESXi hypervisor. : ZIP archive containing GetShell Plugin and README with usage instructions. : Guest virtual machine used to control compromised ESXi host
https://thehackernews.com/2026/01/chinese-linked-hackers-exploit-vmware.html