China-linked threat actors have been exploiting a recently patched local privilege escalation flaw in Broadcom’s VMware Tools and VMware Aria Operations since mid-October 2024, according to a report from NVISO Labs.
Tracked as CVE-2025-41244, the vulnerability affects multiple VMware products, including VMware Cloud Foundation (4.x, 5.x, 9.x.x.x and 13.x.x.x), VMware vSphere Foundation (9.x.x.x and 13.x.x.x), VMware Aria Operations 8.x, VMware Tools (11.x.x, 12.x.x, 13.x.x), VMware Telco Cloud Platform (4.x, 5.x) and Telco Cloud Infrastructure (2.x, 3.x).
NVISO attributed the activity to UNC5174 (also tracked as Uteus/Uetus), a China-linked threat actor with a history of exploiting enterprise software to gain initial access. Broadcom, which owns VMware’s virtualization assets, has not publicly confirmed in-the-wild exploitation.
The bug allows a local user who already has access to a VM with VMware Tools installed and managed by Aria Operations (with SDMP enabled) to escalate privileges to root on that same VM.
According to the researchers, the issue stems from a get_version() function that uses overly broad regular expressions to match binaries. Those regexes can match writable, non-system paths such as /tmp/httpd, allowing an unprivileged actor to stage a malicious binary and trigger privileged execution when VMware’s metrics collection runs.
NVISO reported observing UNC5174 exploit the /tmp/httpd staging technique to spawn an elevated root shell, though the exact payloads used remain unclear. While the exploit enables unprivileged users to achieve code execution in privileged contexts, NVISO could not determine whether the actor intentionally incorporated the zero-day into its toolkit or simply discovered it opportunistically because of its simplicity.
Broadcom/VMware noted that VMware Tools 12.4.9, included in VMware Tools 12.5.4, addresses the issue for Windows 32-bit systems, and vendors will distribute an updated open-vm-tools package for Linux.
Administrators are advised to apply the available updates and follow vendor guidance to mitigate the risk, as local privilege escalation requires the attacker first to obtain access to the target VM by other means.
In a separate report, Cisco Talos has detailed an ongoing cyber campaign, active since 2022, that targets telecommunications and manufacturing sectors in Central and South Asia. The attackers are using a new variant of the PlugX malware that shares characteristics with the RainyDay and Turian backdoors, such as abusing legitimate applications for DLL sideloading and using the XOR-RC4-RtlDecompressBuffer encryption algorithm with similar RC4 keys. This variant uses a configuration format identical to RainyDay,based on which the researchers have attributed it with medium confidence to the Naikon threat group, an active Chinese-speaking threat actor that has been operating since 2010.