Broadcom finally patches dangerous VMware zero-day exploited by Chinese hackers

News
By published

Zero-day flaw had been abused since late 2024

China
(Image credit: Shutterstock)
  • Broadcom patches CVE-2025-41244, a high-severity VMware privilege escalation zero-day
  • Chinese actor UNC5174 exploited the bug using malicious binaries in paths like /tmp/httpd
  • UNC5174 previously targeted French government and commercial sectors using Ivanti CSA vulnerabilities

Broadcom has patched a high-severity vulnerability affecting its VMware Aria Operations and VMware Tools that was apparently used as a zero-day in real-world attacks.

In a new security advisory, the company revealed said it fixed a local privilege escalation vulnerability which allowed a local user with limited access to a VM to become root (if VMWare Tools and Aria Operations - with SDMP enabled - were running on that VM). The bug is now tracked as CVE-2025-41244, and was given a severity score of 7.8/10 (high).

Those looking for a fix for Windows 32-bit should seek out VMWare Tools 12.4.9, part of VMWare Tools 12.5.4. For Linux, there is a version of open-vm-tools that will be distributed by Linux vendors.

UNC5174 accused

The advisory also mentions a pair of other vulnerabilities that were fixed, but it does not mention any in-the-wild abuse.

BleepingComputer, however, spotted a separate report from cybersecurity researchers NVISO, who not only confirmed it, but also released a proof-of-concept (PoC) that demonstrates how threat actors might exploit the bug to escalate privileges on compromised systems.

They also said that Chinese state-sponsored actors were the ones leveraging this bug: "To abuse this vulnerability, an unprivileged local attacker can stage a malicious binary within any of the broadly-matched regular expression paths. A simple common location, abused in the wild by UNC5174, is /tmp/httpd," NVISIO said in a report.

UNC5174 is a known Chinese state-sponsored actor. This summer, it was reported that the group targeted French government agencies in late 2024, as well as numerous commercial entities such as telcos, finance, and transportation organizations.

Back then, the French National Agency for the Security of Information Systems (ANSSI) noted threat actors were abusing three security vulnerabilities in Ivanti CSA devices: CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.