Broadcom has patched a high-severity privilege escalation vulnerability in its VMware Aria Operations and VMware Instruments software program, which has been exploited in zero-day assaults since October 2024.
Whereas the American expertise large did not tag this safety bug (CVE-2025-41244) as exploited within the wild, it thanked NVISO menace researcher Maxime Thiebaut for reporting the bug in Could.
Nevertheless, yesterday, the European cybersecurity firm disclosed that this vulnerability was first exploited within the wild starting mid-October 2024 and linked the assaults to the UNC5174 Chinese language state-sponsored menace actor.
“To abuse this vulnerability, an unprivileged native attacker can stage a malicious binary inside any of the broadly-matched common expression paths. A easy frequent location, abused within the wild by UNC5174, is /tmp/httpd,” Thiebaut defined.
“To make sure the malicious binary is picked up by the VMware service discovery, the binary should be run by the unprivileged person (i.e., present up within the course of tree) and open at the least a (random) listening socket.”
NVISO additionally launched a proof-of-concept exploit that demonstrates how attackers can exploit the CVE-2025-41244 flaw to escalate privileges on techniques working susceptible VMware Aria Operations (in credential-based mode) and VMware Instruments (in credential-less mode) software program, finally gaining root-level code execution on the VM.
A Broadcom spokesperson was not instantly out there for remark when contacted by BleepingComputer earlier in the present day.
Who’s UNC5174?
Google Mandiant safety analysts, who imagine UNC5174 is a contractor for China’s Ministry of State Safety (MSS), have noticed the menace actor promoting entry to networks of U.S. protection contractors, UK authorities entities, and Asian establishments in late 2023, following assaults that exploited the F5 BIG-IP CVE-2023-46747 distant code execution vulnerability.
In February 2024, it additionally exploited the CVE-2024-1709 ConnectWise ScreenConnect flaw to breach a whole lot of U.S. and Canadian establishments.
Earlier this yr, in Could, UNC5174 was additionally linked to the in-the-wild exploitation of the CVE-2025-31324 unauthenticated file add flaw that permits attackers to realize distant code execution on susceptible NetWeaver Visible Composer servers.
Different Chinese language menace actors (e.g., Chaya_004, UNC5221, and CL-STA-0048) additionally joined this wave of assaults, backdooring over 580 SAP NetWeaver situations, together with crucial infrastructure in the UK and the USA.
On Monday, Broadcom additionally patched two high-severity VMware NSX vulnerabilities reported by the U.S. Nationwide Safety Company (NSA).
In March, the corporate mounted three different actively exploited VMware zero-day bugs (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) reported by the Microsoft Menace Intelligence Heart.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration traits.
