"The vulnerability affects VMware Tools and VMware Aria Operations. These management layers inside the VMware solution proved susceptible to privilege escalation and root-level code execution. In the wrong hands, this bug could lead to major problems. VMware Tools gave users elevated privileges when searching binaries for component versions. This allowed attackers to activate binaries that did not belong to the managed systems."
"Nviso, a security company focused on pentesting and incident response, discovered that the China-backed attacker UNC5174 exploited the bug. It is noteworthy that it is unclear whether this was intentional: after all, the use of malicious binaries also occurs in other contexts. VMware's tooling unintentionally picked up these binaries and granted higher privileges, but it is not known whether this was actually an attack vector."
"UNC5174 has already come under scrutiny from security researchers. Sysdig reported in April that this cyber group knows how to conceal itself by using open-source tooling such as VShell. Thankfully, the analyst spotlight shines brightly on the threat actor. Between the Sysdig and Nviso reports, WhoisXML API unveiled the " DNS underbelly " of the collective, making it easier to spot it in the wild."
"However, according to Nviso, the behavior of the VMware tooling is concerning enough that various malware variants may have taken advantage of it. Fortunately, exploitation of CVE-2025-41244 is "easily detected," according to Nviso analyst Maxime Thiebaut. The vulnerability received a CVSS score of 7.8, or "high." As usual, we should note that these scores rarely correspond to the actual severity of an exploit. In any case, a patch is available to fix the problem."
Broadcom patched CVE-2025-41244, a vulnerability affecting VMware Tools and VMware Aria Operations that permitted privilege escalation and root-level code execution. VMware Tools granted elevated privileges when searching binaries for component versions, enabling activation of binaries not belonging to managed systems. Nviso found that attacker UNC5174 exploited the bug, though intentionality is unclear because malicious binaries can appear in other contexts and VMware tooling sometimes picked them up unintentionally. Sysdig and WhoisXML API provided additional visibility into UNC5174 and its infrastructure. Nviso states the exploit is easily detected. The vulnerability carries a CVSS score of 7.8 and a patch is available; organizations should monitor lateral movement risks.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]