Broadcom turned an ESXi zero-day into a patch-access crisis

A folder on an attacker’s build system, timestamped February 2024, translates from simplified Chinese as “All version escape - delivery.” Inside it: a weaponized exploit chain targeting 155 ESXi builds spanning versions 5.1 through 8.0. The toolkit had been operational for at least 13 months before Broadcom shipped a patch. When that patch finally arrived on March 4, 2025, a significant portion of the VMware install base couldn’t download it because Broadcom had locked them out of the support portal.

Three CVEs, one escape

CVE-2025-22225 is the final link in a three-vulnerability chain collectively dubbed “ESXicape.” The sequence is precise:

CVE-2025-22226 (CVSS 7.1) leaks VMX process memory through the HGFS subsystem, breaking ASLR. CVE-2025-22224 (CVSS 9.3) exploits a TOCTOU race in the VMCI subsystem to get code execution inside the VMX sandbox. CVE-2025-22225 (CVSS 8.2) uses an arbitrary kernel write to overwrite function pointers and escape the sandbox entirely.

Start with guest VM admin access. End with kernel-level control of the ESXi host and every VM running on it. Post-exploitation included a backdoor called VSOCKpuppet, listening on VSOCK port 10000, invisible to standard network monitoring because VSOCK traffic never touches the TCP/IP stack.

Microsoft MSTIC discovered and reported all three. That detail matters: MSTIC found these in the wild, not in a lab. Someone was already using the full chain against real infrastructure.

Thirteen months of lead time

The exploit toolkit, named MAESTRO by Huntress, was not a proof of concept. It was a product. It disabled VMCI drivers, bypassed Windows Driver Signature Enforcement using KDU, loaded an unsigned kernel driver, chained all three CVEs in sequence, deployed the VSOCKpuppet backdoor, then re-enabled VMware drivers to cover its tracks. PDB paths in the build artifacts date to November 2023. The “delivery” packaging folder dates to February 2024.

No named APT group has been formally attributed. Huntress assessed “Chinese-speaking, well-resourced.” The toolkit’s documentation was in simplified Chinese with English READMEs, suggesting it was packaged for distribution to multiple operators.

Broadcom patched on March 4, 2025. CISA added all three CVEs to KEV the same day, with a remediation deadline of March 25. Twenty-one days. Reasonable if you can download the patch.

The portal problem

Broadcom completed its $69 billion acquisition of VMware in November 2023, eliminated perpetual licenses, raised the minimum purchase from 16 to 72 cores, and drove support cost increases of three to five times. The security consequence arrived directly when CVE-2025-22225 was disclosed.

Perpetual license holders with expired support contracts could not access the Broadcom patch portal. Internal communications acknowledged delays of up to 90 days for alternative access channels. Ninety days. CISA gave 21.

Broadcom had carved out a policy in April 2024 offering free critical patches, but with two restrictions that made it nearly useless for this chain: the policy covered only CVSS 9.0 and above, and only vSphere 8.x “supported versions.” CVE-2025-22225 scored 8.2. It would not have qualified. The fact that it’s the sandbox escape step in a chain where another link scores 9.3 did not matter to the policy as written.

ESXi 6.5 received no patch at all. End of support. No workarounds exist for any of the three CVEs. The Dutch government agency Rijkswaterstaat, which runs national infrastructure including tunnel and lock control systems, sued Broadcom after an 85% cost increase. A court in The Hague ordered Broadcom to maintain support during the agency’s migration period. Most organizations don’t have the Dutch judiciary as a fallback plan.

Why hypervisors are the target

The math is simple. Encrypt one ESXi host and you take out every VM running on it. CrowdStrike calls it “hypervisor jackpotting.” vCenter’s centralized management model compounds the effect: a single vCenter compromise hands an attacker the default vpxuser credentials for every connected host.

ESXi hosts run with no EDR agent, no behavioral telemetry. Backup appliances frequently run as VMs on the same clusters they protect. One host compromise can take down production, domain controllers, and backups in a single action.

Huntress data shows hypervisor-related incidents rising from 3% to 25% of malicious encryption events between H1 and H2 2025. By late 2025, Akira, Qilin, INC Ransom, and DragonForce were all operating against ESXi infrastructure. CISA updated CVE-2025-22225’s KEV entry on February 5, 2026 to confirm ransomware use.

This is not new territory. The ESXiArgs campaign of February 2023 compromised over 3,800 hosts using CVE-2021-21974, a vulnerability patched two years earlier. The pattern repeats because the patch gap persists.

The patching window

Patching a hypervisor is not like patching a Windows server. The host enters maintenance mode. Every running VM must evacuate or shut down first.

With DRS and vMotion on vSphere Enterprise Plus, vCenter automates the evacuation. Single-host disruption runs 15 to 30 minutes. Without DRS, on standalone ESXi or vSphere Essentials, every VM must be manually migrated or shut down. A host running 20-plus VMs requires a change management exercise, not a quick fix. Organizations running at 70 to 80 percent utilization patch serially, extending the window proportionally.

CISA’s 21-day deadline was achievable for organizations with active Broadcom subscriptions and functional DRS. It was not achievable for perpetual license holders who were blocked from the patch portal. And Qualys counted 41,500 internet-exposed ESXi instances around the time of disclosure. The intersection of “exposed to the internet” and “unable to download the patch” is exactly where ransomware operators set up camp.

The structural problem

Broadcom made a business decision to convert VMware’s licensing model. That is its right as the acquiring company. But security patch distribution is not a revenue optimization problem. It is infrastructure.

When a vendor acquires a product embedded in critical infrastructure across tens of thousands of organizations, the obligation to deliver security patches promptly does not pause while the licensing team renegotiates contracts. The organizations most likely to be running older ESXi versions on lapsed perpetual licenses are hospitals, municipal governments, small manufacturers, schools. They are not running outdated hypervisors because they enjoy risk. They are running them because the budget cycle is annual and the migration is expensive.

Broadcom’s April 2024 policy looked like a concession. A CVSS 9.0 threshold and a vSphere 8.x restriction turned it into a technicality. A three-CVE chain scores differently depending on which link you measure, and the middle link in this chain (CVE-2025-22224, CVSS 9.3) would have qualified while the sandbox escape that makes it catastrophic would not. Scoring policy is a poor substitute for judgment.

What to expect

If you have an active Broadcom subscription, patch to the fixed builds in VMSA-2025-0004. There are no workarounds. If you’re on ESXi 6.5, there is no patch and there won’t be one. Migration is the remediation.

If you’re between contracts, restrict ESXi management interfaces to a dedicated management VLAN, reduce accounts with guest VM admin privileges, and monitor for VSOCK connections on port 10000. These are mitigations, not fixes. PatchDay Alert tracks KEV additions and patch-access friction like this in the daily digest, because nobody patches faster when the patch is behind a paywall.

ESXi has produced roughly one to two critical escape-class vulnerabilities per year reaching active exploitation. The MAESTRO toolkit supported 155 builds. The next chain will not support fewer. The question is not whether another ESXi exploit will surface. The question is whether the people who need the patch will be allowed to download it.