Broadcom finally patches dangerous VMware zero-day exploited by Chinese hackers

Broadcom patches CVE-2025-41244, a high-severity VMware privilege escalation zero-day
Chinese actor UNC5174 exploited the bug using malicious binaries in paths like /tmp/httpd
UNC5174 previously targeted French government and commercial sectors using Ivanti CSA vulnerabilities

Broadcom has patched a high-severity vulnerability affecting its VMware Aria Operations and VMware Tools that was apparently used as a zero-day in real-world attacks.

In a new security advisory, the company revealed said it fixed a local privilege escalation vulnerability which allowed a local user with limited access to a VM to become root (if VMWare Tools and Aria Operations – with SDMP enabled – were running on that VM). The bug is now tracked as CVE-2025-41244, and was given a severity score of 7.8/10 (high).

Those looking for a fix for Windows 32-bit should seek out VMWare Tools 12.4.9, part of VMWare Tools 12.5.4. For Linux, there is a version of open-vm-tools that will be distributed by Linux vendors.

UNC5174 accused

The advisory also mentions a pair of other vulnerabilities that were fixed, but it does not mention any in-the-wild abuse.

BleepingComputer, however, spotted a separate report from cybersecurity researchers NVISO, who not only confirmed it, but also released a proof-of-concept (PoC) that demonstrates how threat actors might exploit the bug to escalate privileges on compromised systems.

They also said that Chinese state-sponsored actors were the ones leveraging this bug: “To abuse this vulnerability, an unprivileged local attacker can stage a malicious binary within any of the broadly-matched regular expression paths. A simple common location, abused in the wild by UNC5174, is /tmp/httpd,” NVISIO said in a report.

UNC5174 is a known Chinese state-sponsored actor. This summer, it was reported that the group targeted French government agencies in late 2024, as well as numerous commercial entities such as telcos, finance, and transportation organizations.

Back then, the French National Agency for the Security of Information Systems (ANSSI) noted threat actors were abusing three security vulnerabilities in Ivanti CSA devices: CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190.