Broadcom has patched a high-severity privilege escalation vulnerability in its VMware Aria Operations and VMware Tools software, which has been exploited in zero-day attacks since October 2024.
While the American technology giant didn't tag this security bug (CVE-2025-41244) as exploited in the wild, it thanked NVISO threat researcher Maxime Thiebaut for reporting the bug in May.
However, yesterday, the European cybersecurity company disclosed that this vulnerability was first exploited in the wild beginning mid-October 2024 and linked the attacks to the UNC5174 Chinese state-sponsored threat actor.
"To abuse this vulnerability, an unprivileged local attacker can stage a malicious binary within any of the broadly-matched regular expression paths. A simple common location, abused in the wild by UNC5174, is /tmp/httpd," Thiebaut explained.
"To ensure the malicious binary is picked up by the VMware service discovery, the binary must be run by the unprivileged user (i.e., show up in the process tree) and open at least a (random) listening socket."
NVISO also released a proof-of-concept exploit that demonstrates how attackers can exploit the CVE-2025-41244 flaw to escalate privileges on systems running vulnerable VMware Aria Operations (in credential-based mode) and VMware Tools (in credential-less mode) software, ultimately gaining root-level code execution on the VM.
A Broadcom spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.
Who is UNC5174?
Google Mandiant security analysts, who believe UNC5174 is a contractor for China's Ministry of State Security (MSS), have observed the threat actor selling access to networks of U.S. defense contractors, UK government entities, and Asian institutions in late 2023, following attacks that exploited the F5 BIG-IP CVE-2023-46747 remote code execution vulnerability.
In February 2024, it also exploited the CVE-2024-1709 ConnectWise ScreenConnect flaw to breach hundreds of U.S. and Canadian institutions.
... continue reading