Article Details

Chinese hackers exploiting VMware zero-day since October 2024. Broadcom has patched a high-severity privilege escalation vulnerability in its VMware Aria Operations and VMware Tools software, which has been exploited in zero-day attacks since October 2024. While the American technology giant didn't tag this security bug (CVE-2025-41244) as exploited in the wild, it thanked NVISO threat researcher Maxime Thiebaut for reporting the bug in May. However, yesterday, the European cybersecurity company disclosed that this vulnerability was first exploited in the wild beginning mid-October 2024 and linked the attacks to the UNC5174 Chinese state-sponsored threat actor. "To abuse this vulnerability, an unprivileged local attacker can stage a malicious binary within any of the broadly-matched regular expression paths. A simple common location, abused in the wild by UNC5174, is /tmp/httpd," Thiebaut explained. "To ensure the malicious binary is picked up by the VMware service discovery, the binary must be run by the unprivileged user (i.e., show up in the process tree) and open at least a (random) listening socket." NVISO also released a proof-of-concept exploit that demonstrates how attackers can exploit the CVE-2025-41244 flaw to escalate privileges on systems running vulnerable VMware Aria Operations (in credential-based mode) and VMware Tools (in credential-less mode) software, ultimately gaining root-level code execution on the VM. A Broadcom spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today. Who is UNC5174? Google Mandiant security analysts, who believe UNC5174 is a contractor for China's Ministry of State Security (MSS), have observed the threat actor selling access to networks of U.S. defense contractors, UK government entities, and Asian institutions in late 2023, following attacks that exploited the F5 BIG-IP CVE-2023-46747 remote code execution vulnerability. In February 2024, it also exploited the CVE-2024-1709 ConnectWise ScreenConnect flaw to breach hundreds of U.S. and Canadian institutions. Earlier this year, in May, UNC5174 was also linked to the in-the-wild exploitation of the CVE-2025-31324 unauthenticated file upload flaw that enables attackers to gain remote code execution on vulnerable NetWeaver Visual Composer servers. Other Chinese threat actors (e.g., Chaya_004, UNC5221, and CL-STA-0048) also joined this wave of attacks, backdooring over 580 SAP NetWeaver instances, including critical infrastructure in the United Kingdom and the United States. On Monday, Broadcom also patched two high-severity VMware NSX vulnerabilities reported by the U.S. National Security Agency (NSA). In March, the company fixed three other actively exploited VMware zero-day bugs (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) reported by the Microsoft Threat Intelligence Center. Picus Blue Report 2025 is Here: 2X increase in password cracking 46% of environments had passwords cracked, nearly doubling from 25% last year. Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.