China-Linked Hackers Exploit New VMware Vulnerability Since Mid-October 2024

A recently patched security vulnerability affecting Broadcom VMware Tools and VMware Aria Operations has been exploited since mid-October 2024 by a hacker group identified as UNC5174, according to NVISO Labs. The vulnerability, tracked as CVE-2025-41244 with a CVSS score of 7.8, is a local privilege escalation bug impacting VMware Cloud Foundation versions 4.x and 5.x. This flaw enables attackers to elevate their privileges on compromised systems, potentially leading to full system compromise.

The technical implications of this vulnerability are significant. Local privilege escalation bugs are particularly dangerous because they can allow attackers to move laterally within a network, access sensitive data, or execute commands with elevated privileges. Given that VMware Cloud Foundation is widely used in enterprise environments, the impact of this vulnerability could be substantial, affecting multiple systems and potentially leading to data breaches or service disruptions.

The CVSS score of 7.8 indicates that this vulnerability is of high severity. The score takes into account factors such as attack complexity, privileges required, and impact on confidentiality, integrity, and availability. A score of 7.8 suggests that the vulnerability is relatively easy to exploit and has a significant impact on affected systems.

The fact that this vulnerability has been actively exploited since mid-October 2024 is a cause for concern. Organizations using affected versions of VMware Cloud Foundation may have been compromised without their knowledge. This highlights the importance of timely patching and continuous monitoring for signs of exploitation.

From a broader cybersecurity landscape perspective, this incident underscores the ongoing threat posed by advanced persistent threat (APT) groups. UNC5174 is likely a sophisticated group, possibly state-sponsored, given their ability to exploit zero-day vulnerabilities and maintain persistence in targeted networks.

For cybersecurity professionals, the actionable intelligence here is to immediately check if their VMware Cloud Foundation installations are running versions 4.x or 5.x. If so, they should apply the patch for CVE-2025-41244 as soon as possible. Additionally, they should look for signs of exploitation, such as unusual privilege escalations or lateral movement within their networks.

In terms of expert insights, it's worth noting that privilege escalation vulnerabilities are often used in conjunction with other exploits. For example, an attacker might first gain initial access through a phishing attack or another vulnerability, then use this privilege escalation bug to gain higher privileges and move deeper into the network.

To mitigate the risk posed by this vulnerability, organizations should follow best practices for patch management and network monitoring. They should also consider implementing additional security controls, such as network segmentation and least privilege access, to limit the impact of potential exploits.

In conclusion, the exploitation of CVE-2025-41244 by UNC5174 highlights the critical importance of timely patching and proactive threat hunting. Cybersecurity professionals should prioritize patching affected VMware systems and remain vigilant for signs of exploitation.