Broadcom has released a critical security update addressing six vulnerabilities across VMware products, including four rated high-severity. At the center of the update is CVE-2025-41244, a local privilege escalation flaw affecting VMware Tools and Aria Operations. What makes this vulnerability particularly alarming is that it was actively exploited in the wild as a zero-day since mid-October 2024, nearly a full year before its public disclosure.
Security researchers at NVISO Labs attribute the exploitation to UNC5174, a China-linked threat actor with a track record of targeting enterprise systems. The flaw allows a malicious local user with non-admin access to escalate privileges to root on virtual machines, granting complete control of the environment. While the vulnerability requires some level of access, its ease of exploitation makes it a powerful tool for attackers once initial footholds are established.
Broadcom confirmed the zero-day exploitation and patched the issue in multiple VMware product families, including VMware Cloud Foundation, vSphere Foundation, Aria Operations, VMware Tools, and Telco Cloud platforms. Beyond CVE-2025-41244, the patch release also fixed additional flaws such as CVE-2025-41245 (information disclosure) and CVE-2025-41246 (improper authorization), highlighting a broader set of risks within the VMware ecosystem.
The fact that CVE-2025-41244 was being leveraged for nearly a year before public disclosure underscores both the sophistication of advanced threat actors and the challenges defenders face in detecting zero-day exploitation. This incident also raises key questions about UNC5174’s capabilities—whether the group is actively developing new zero-days or opportunistically exploiting flaws considered “trivial” once discovered.
In this episode, we analyze the technical mechanics of the vulnerability, explore how UNC5174 weaponized it, and outline the immediate mitigation steps organizations must take. For enterprises running VMware environments, patching these flaws is critical to preventing full system compromise.
#VMware #Broadcom #ZeroDay #CVE202541244 #UNC5174 #Cybersecurity #PrivilegeEscalation #CloudSecurity #VMwareTools #AriaOperations #ChinaLinkedThreatActor
