Chinese hackers exploiting VMware zero-day since October 2024

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/security/chinese-hackers-exploiting-vmware-zero-day-since-october-2024/

ONE SENTENCE SUMMARY:

Broadcom fixed a high-severity privilege escalation vulnerability exploited by the Chinese threat actor UNC5174 in VMware software.

MAIN POINTS:

1. Broadcom patched a severe vulnerability in VMware Aria Operations and VMware Tools.
2. The vulnerability, CVE-2025-41244, was exploited since October 2024 by UNC5174.
3. NVISO researcher Maxime Thiebaut reported the bug in May 2025.
4. Exploitation depends on placing a malicious binary in specific paths.
5. NVISO released a proof-of-concept demonstrating privilege escalation.
6. UNC5174 is linked to China’s Ministry of State Security (MSS).
7. UNC5174 exploited multiple vulnerabilities in U.S., UK, and Canadian institutions.
8. Broadcom also fixed two VMware NSX vulnerabilities reported by the NSA.
9. In March, Broadcom resolved three other zero-day bugs reported by Microsoft.
10. Password cracking incidents increased from 25% to 46% of environments.

TAKEAWAYS:

1. Broadcom’s quick response mitigated a critical security threat.
2. UNC5174 continues to exploit network vulnerabilities for espionage activities.
3. Collaboration between researchers and companies is crucial for timely vulnerability reporting.
4. The increasing rate of password cracking emphasizes the need for improved security.
5. Vigilance and proactive patching are essential to protect against state-sponsored attacks.