CISA Urges Immediate VMware Patch for Chinese Hacker Exploit
▼ Summary
– CISA warned U.S. government agencies to patch a high-severity VMware vulnerability (CVE-2025-41244) that allows local privilege escalation to root on affected virtual machines.
– Federal agencies have until November 20 to patch this vulnerability under Binding Operational Directive 22-01, while CISA urges all organizations to prioritize patching.
– The vulnerability has been exploited since mid-October 2024 by UNC5174, a Chinese state-sponsored threat actor linked to China’s Ministry of State Security.
– UNC5174 has previously exploited other vulnerabilities to target U.S. defense contractors, UK government entities, and hundreds of North American institutions.
– Broadcom has patched multiple other actively exploited VMware vulnerabilities this year, including zero-days reported by Microsoft and flaws reported by the NSA.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive for U.S. government bodies to address a critical security flaw in Broadcom’s VMware Aria Operations and VMware Tools software. Identified as CVE-2025-41244, this vulnerability permits attackers with local, non-administrative access to escalate their privileges to root level on the same virtual machine. Federal agencies must apply the available patch within three weeks to comply with Binding Operational Directive 22-01.
CISA has officially listed this vulnerability in its Known Exploited Vulnerabilities catalog, signaling that malicious actors are already leveraging it in active campaigns. Although the directive specifically targets Federal Civilian Executive Branch agencies, such as the Departments of Homeland Security, Energy, Treasury, and Health and Human Services, CISA strongly advises all organizations using the affected software to implement the patch immediately. The agency emphasized that such flaws represent common and dangerous attack vectors, recommending that entities either apply vendor-provided mitigations or discontinue use of the product if patching is not feasible.
Evidence indicates that exploitation of this vulnerability began as early as October 2024. Maxime Thiebaut of cybersecurity firm NVISO reported that UNC5174, a Chinese state-sponsored threat group, has been actively abusing the flaw. Thiebaut also published proof-of-concept code illustrating how attackers can achieve privilege escalation on systems running vulnerable versions of VMware Aria Operations and VMware Tools, ultimately enabling root-level code execution.
Google’s Mandiant analysts have linked UNC5174 to China’s Ministry of State Security, noting that the group has previously sold network access belonging to U.S. defense contractors, UK government bodies, and Asian institutions. This activity followed earlier attacks leveraging an F5 BIG-IP remote code execution vulnerability (CVE-2023-46747). In February 2024, the same actor exploited a ConnectWise ScreenConnect flaw (CVE-2024-1709) to compromise hundreds of organizations across the United States and Canada. More recently, in May, UNC5174 was associated with attacks targeting a NetWeaver unauthenticated file upload vulnerability (CVE-2025-31324), which allows remote code execution on unpatched servers.
This latest VMware vulnerability is part of a broader pattern. Since the beginning of the year, Broadcom has resolved three other zero-day flaws in VMware products, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, which were reported by the Microsoft Threat Intelligence Center. Additionally, the company released patches for two high-severity issues in VMware NSX (CVE-2025-41251 and CVE-2025-41252) following disclosures by the U.S. National Security Agency. These repeated incidents highlight the persistent targeting of virtualization infrastructure and the critical need for timely security updates.
(Source: Bleeping Computer)
