Redazione RHC : 1 October 2025 15:56
Broadcom has fixed a severe privilege escalation vulnerability in VMware Aria Operations and VMware Tools that was exploited in attacks starting in October 2024. The issue has been assigned the identifier CVE-2025-41244. While the company did not report an exploit in the official bulletin , NVISO researcher Maxime Thibault reported in May that the attacks began in mid-October 2024. Analysis linked the attacks to the Chinese group UNC5174 .
The vulnerability allows an unprivileged local user to inject a malicious binary into directories that match generic regular expressions . A variant observed in real-world attacks uses the /tmp/httpd directory. For the malware to be detected by the VMware service, it must be run as a normal user and open a random network socket.
As a result, attackers gain the ability to escalate root privileges and execute arbitrary code within the virtual machine. NVISO has also published a demonstration exploit showing how this flaw can be used to compromise VMware Aria Operations in credentialed mode and VMware Tools in non-credentialed mode.
According to Google Mandiant, UNC5174 operates on behalf of the Chinese Ministry of State Security. In 2023, the group sold access to the networks of U.S. defense contractors, British government agencies, and Asian organizations by exploiting the CVE-2023-46747 vulnerability in F5 BIG-IP.
In February 2024, they exploited the CVE-2024-1709 vulnerability in ConnectWise ScreenConnect, attacking hundreds of institutions in the United States and Canada.
In spring 2025, the group was also observed exploiting the CVE-2025-31324 vulnerability, a file upload error in NetWeaver Visual Composer that allowed arbitrary code execution. Other Chinese groups have also participated in attacks on SAP systems, including Chaya_004, UNC5221, and CL-STA-0048, which installed backdoors on over 580 NetWeaver instances, including those on critical infrastructure in the United States and the United Kingdom.
Redazione