Chinese Hackers Exploiting VMware Zero-Day Since 2024
▼ Summary
– Broadcom has patched a high-severity privilege escalation vulnerability (CVE-2025-41244) in VMware Aria Operations and VMware Tools software that was exploited in zero-day attacks since October 2024.
– The vulnerability was exploited by UNC5174, a Chinese state-sponsored threat actor, who used it to gain root-level code execution on virtual machines by staging malicious binaries in specific paths like /tmp/httpd.
– UNC5174 is believed to be a contractor for China’s Ministry of State Security and has previously targeted U.S. defense contractors, UK government entities, and Asian institutions using other vulnerabilities like CVE-2023-46747 and CVE-2024-1709.
– The security flaw was reported by NVISO researcher Maxime Thiebaut in May, and NVISO has released a proof-of-concept exploit demonstrating how attackers can escalate privileges on vulnerable systems.
– Broadcom also recently patched two high-severity VMware NSX vulnerabilities reported by the NSA and fixed three other actively exploited VMware zero-day bugs in March reported by Microsoft.
A critical security flaw within Broadcom’s VMware Aria Operations and VMware Tools software has been addressed following its active exploitation as a zero-day vulnerability since October 2024. This high-severity privilege escalation issue, tracked as CVE-2025-41244, enables attackers to gain root-level control over affected virtual machines. Although Broadcom did not initially classify the bug as exploited in the wild, the company acknowledged NVISO threat researcher Maxime Thiebaut for reporting the vulnerability in May.
European cybersecurity firm NVISO later revealed that exploitation began in mid-October 2024 and attributed these attacks to UNC5174, a Chinese state-sponsored threat actor. Thiebaut detailed the exploitation method, explaining that “an unprivileged local attacker can stage a malicious binary within any of the broadly-matched regular expression paths,” with attackers commonly using the /tmp/httpd directory. For successful exploitation, the malicious binary must be executed by the unprivileged user and open at least one random listening socket to be detected by VMware’s service discovery.
NVISO has published a proof-of-concept exploit demonstrating how attackers leverage CVE-2025-41244 to escalate privileges on systems running vulnerable VMware Aria Operations in credential-based mode and VMware Tools in credential-less mode, ultimately achieving complete system control.
UNC5174 has been identified by Google Mandiant security analysts as likely operating as a contractor for China’s Ministry of State Security. The threat actor has been observed selling network access to U.S. defense contractors, UK government entities, and Asian institutions since late 2023. Their attack campaigns have consistently targeted critical vulnerabilities, including the F5 BIG-IP CVE-2023-46747 remote code execution flaw and the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which impacted hundreds of organizations across the United States and Canada.
Earlier this year, UNC5174 was linked to exploiting CVE-2025-31324, an unauthenticated file upload vulnerability in NetWeaver Visual Composer servers that enables remote code execution. Other Chinese threat groups, including Chaya_004, UNC5221, and CL-STA-0048, participated in these attacks, compromising over 580 SAP NetWeaver instances, including critical infrastructure in both the United Kingdom and the United States.
In related security developments, Broadcom recently addressed two additional high-severity vulnerabilities in VMware NSX reported by the U.S. National Security Agency. This follows the company’s March patch release for three other actively exploited VMware zero-day vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) that were initially reported by the Microsoft Threat Intelligence Center.
(Source: Bleeping Computer)
