Urgent: China-Linked Hackers Exploit New VMware Zero-Day Since October 2024

Urgent: China-Linked Hackers Exploit New VMware Zero-Day Since October 2024

Briefly

"A newly patched security flaw impacting Broadcom VMware Tools and VMware Aria Operations has been exploited in the wild as a zero-day since mid-October 2024 by a threat actor called UNC5174, according to NVISO Labs. The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), a local privilege escalation bug affecting the following versions - VMware Cloud Foundation 4.x and 5.x VMware Cloud Foundation 9.x.x.x VMware Cloud Foundation 13.x.x.x (Windows, Linux) VMware vSphere Foundation 9.x.x.x VMware vSphere Foundation 13.x.x.x (Windows, Linux) VMware Aria Operations 8.x VMware Tools 11.x.x, 12.x.x, and 13.x.x (Windows, Linux) VMware Telco Cloud Platform 4.x and 5.x VMware Telco Cloud Infrastructure 2.x and 3.x"

""A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM," VMware said in an advisory released Monday."

"NVISO researcher Maxime Thiebaut has been credited for discovering and reporting the shortcoming on May 19, 2025, during an incident response engagement. The company also said VMware Tools 12.4.9, which is part of VMware Tools 12.5.4, remediates the issue for Windows 32-bit systems, and that a version of open-vm-tools that addresses CVE-2025-41244 will be distributed by Linux vendors."