A critical security flaw in Broadcom VMware Tools and VMware Aria Operations has been actively exploited by a China-linked hacking group since October 2024. Security researchers at NVISO Labs revealed that the zero-day vulnerability, now tracked as CVE-2025-41244, was leveraged by the threat actor known as UNC5174 to escalate privileges on targeted systems.
This vulnerability, rated with a CVSS score of 7.8, affects multiple VMware products, including:
VMware Cloud Foundation 4.x, 5.x, 9.x.x.x, 13.x.x.x (Windows, Linux)
VMware vSphere Foundation 9.x.x.x, 13.x.x.x (Windows, Linux)
VMware Aria Operations 8.x
VMware Tools 11.x.x, 12.x.x, 13.x.x (Windows, Linux)
VMware Telco Cloud Platform 4.x, 5.x
VMware Telco Cloud Infrastructure 2.x, 3.x
According to VMware’s advisory, the flaw is a local privilege escalation (LPE) bug. In simpler terms, an attacker with non-administrative access to a virtual machine running VMware Tools and managed by Aria Operations could exploit this flaw to gain root-level privileges.
While this type of vulnerability requires attackers to already have access to a system, it becomes dangerous when paired with other attacks such as phishing, malware deployment, or exploiting other software weaknesses. Once inside, attackers could escalate their rights to full administrative control, making it easier to deploy malware, steal sensitive data, or move laterally across networks.
The flaw was first reported on May 19, 2025, by Maxime Thiebaut, a researcher at NVISO Labs, during an incident response investigation. Broadcom has since released patches, with VMware Tools 12.5.4 fixing the issue on Windows 32-bit systems. For Linux, vendors will distribute updated versions of open-vm-tools that address the problem.
The root cause of the vulnerability lies in a function called get_version(), which uses regular expressions (regex) to identify binaries with listening sockets.
Normally, this process is designed to recognize legitimate system binaries (like
/usr/bin/httpd).However, due to the use of the broad-matching
\Sregex character, it also matches non-system binaries stored in user-writable directories such as/tmp.This oversight allows attackers to place a malicious fake binary (e.g.,
/tmp/httpd) in these directories.When the VMware metrics collection service executes the binary, the attacker’s code runs with root privileges, leading to full compromise.
NVISO observed the hacking group UNC5174 using exactly this technique to gain elevated shells on victim systems.
The exploitation has been linked to UNC5174, also known as Uteus or Uetus, a threat group with ties to China. According to Google Mandiant, this group has a history of targeting enterprise software, including Ivanti and SAP NetWeaver, to gain initial access into corporate and government networks.
UNC5174 is known for exploiting newly discovered flaws quickly, often before vendors can issue patches. The group’s ability to adapt and weaponize vulnerabilities highlights how sophisticated nation-state actors continue to exploit software ecosystems like VMware, which are widely used in enterprises and cloud environments worldwide.
The CVE-2025-41244 vulnerability is especially concerning because:
Wide product impact – Multiple VMware platforms used in enterprise, telecom, and cloud environments are affected.
Privilege escalation – Even if attackers gain only low-level access, they can turn it into full system compromise.
Stealth potential – Since attackers mimic legitimate binaries, malicious activities can go unnoticed for long periods.
Nation-state involvement – The involvement of a China-linked APT group shows that this is not opportunistic crimeware but part of larger cyber-espionage efforts.
Broadcom has urged customers to immediately apply the latest updates. The company confirmed that VMware Tools 12.5.4 resolves the issue for Windows systems and that Linux distributions will release updated open-vm-tools packages.
Organizations using VMware Cloud Foundation, vSphere Foundation, Aria Operations, and Telco Cloud platforms must prioritize patching. Until updates are applied, administrators should:
Limit user access to virtual machines.
Monitor suspicious files in directories like
/tmp.Use endpoint detection and response (EDR) tools to identify privilege escalation attempts.
Regularly audit system logs for unexpected shell activity.
Maxime Thiebaut from NVISO highlighted that the exploit’s simplicity means it might have been unintentionally exploited by other malware strains over the years. The technique of mimicking system binaries is not new, but its effectiveness in VMware environments underscores the importance of careful code design and regex validation.
He warned:
“The broad practice of mimicking system binaries highlights the real possibility that several other malware strains have accidentally been benefiting from unintended privilege escalations for years.”
The exploitation of VMware zero-day CVE-2025-41244 by China-linked hackers UNC5174 is a clear reminder that widely used virtualization and cloud platforms remain prime targets for advanced persistent threat (APT) groups.
With enterprises heavily dependent on VMware for critical operations, attackers exploiting privilege escalation vulnerabilities pose serious risks to data integrity, privacy, and business continuity.
Organizations must act quickly by applying patches, monitoring for suspicious activities, and hardening access controls. As attackers continue to exploit overlooked weaknesses, proactive security remains the only effective defense.
Interesting Article : Microsoft Entra Workaround Helps Solve Outlook Encrypted Email Bug
Pingback: CVE-2025-10725: Red Hat OpenShift AI Bug Exposes Hybrid Cloud to Attack