VMware Zero-Day (CVE-2025-41244) Exploited by Chinese APT UNC5174 Since October 2024

Broadcom has patched a critical privilege escalation vulnerability in VMware Aria Operations and VMware Tools, which had been actively exploited as a zero-day since October 2024. The flaw, tracked as CVE-2025-41244, was not initially acknowledged as exploited in Broadcom’s official advisory. However, Maxime Thibaut of NVISO had disclosed the issue back in May, and NVISO later confirmed that active attacks began in mid-October 2024. Subsequent analysis linked the exploitation to the Chinese threat group UNC5174.

The vulnerability allows an unprivileged local user to place a malicious binary in directories matched by broad regular expressions. One technique observed in real-world attacks involved the /tmp/httpd directory. To be recognized by the VMware service, the malware needed to be executed by a standard user and initiate a random network socket.

Once triggered, attackers could escalate privileges to root and execute arbitrary code within the virtual machine. NVISO also released a proof-of-concept exploit demonstrating how the flaw can be leveraged to compromise VMware Aria Operations when running in credential mode and VMware Tools in credential-less mode.

According to Google Mandiant, UNC5174 operates on behalf of China’s Ministry of State Security (MSS). In 2023, the group was observed selling access to networks belonging to U.S. defense contractors, U.K. government entities, and Asian organizations by exploiting CVE-2023-46747 in F5 BIG-IP.

In February 2024, UNC5174 weaponized CVE-2024-1709 in ConnectWise ScreenConnect, targeting hundreds of institutions across the United States and Canada. By the spring of 2025, the group was also linked to the exploitation of CVE-2025-31324, a file upload vulnerability in SAP NetWeaver Visual Composer, which enabled remote code execution. Attacks against SAP systems also involved other Chinese-affiliated clusters, including Chaya_004, UNC5221, and CL-STA-0048, who collectively deployed backdoors on more than 580 NetWeaver instances, including critical infrastructure targets in the U.S. and the U.K.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy