Broadcom has issued a critical security advisory warning of multiple zero-day vulnerabilities affecting VMware software, which is widely deployed to power virtual machines across enterprise networks. The company said China-linked hackers may have silently exploited the flaws for months or possibly years, allowing privilege escalation to administrator-level access.
The vulnerabilities impact VMware Aria Operations, VMware Tools, and other related products that administrators depend on to monitor, analyze, and manage their virtualized environments. Broadcom released security updates addressing the flaws, but investigators believe advanced persistent threat actors may already have leveraged them in real-world attacks.
“A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM,” Broadcom stated in its advisory.
The company classified the vulnerabilities within the “important severity range,” assigning a maximum CVSS base score of 7.8 out of 10. Although not rated critical, the flaws provide a direct avenue for attackers to escalate rights and potentially expand their control over targeted systems.
Zero-Day Exploitation Linked to UNC5174
Cybersecurity researchers who initially discovered the vulnerabilities have reported that exploitation may have been ongoing for a significant period. Belgian security firm NVISO identified signs of compromise while conducting incident response for a China-linked state-sponsored hacking group tracked as UNC5174.
NVISO researchers said exploitation activity began as early as mid-October 2024. In its report, the company stated:
“NVISO has identified zero-day exploitation in the wild beginning mid-October 2024. NVISO determined with confidence that UNC5174 triggered the local privilege escalation.”
UNC5174 has previously been associated with operations targeting virtualization platforms and infrastructure management systems. According to researchers, the group frequently disguises its malicious tools to mimic legitimate VMware system binaries, making detection challenging.
The firm added that the vulnerabilities’ trivial nature may complicate attribution, as some malware families might have inadvertently benefited from the flaws without intentionally targeting them.
Risk of Long-Term Exploitation
Security experts noted that the simplicity of the vulnerabilities raises the possibility they were unknowingly exploited by threat actors for extended periods. In some cases, the privilege escalation effects may have been accidental, yet still advantageous to attackers.
Maxime Thiebaut, an incident response and threat researcher at NVISO, emphasized the risks tied to these flaws:
“The threat actor often mimics VMware system binaries, and several malware strains might have accidentally been benefiting from unintended privilege escalations for years.”
This observation suggests that exploitation could have remained unnoticed within corporate networks, enabling threat actors to quietly gain elevated access rights without triggering immediate alerts.
The discovery underscores ongoing challenges in securing virtualization platforms that sit at the heart of enterprise IT environments. Virtual machines often host sensitive workloads, and weaknesses at the software layer can cascade across multiple systems if exploited.
Broadcom’s Mitigation and Industry Impact
Broadcom confirmed that it has rolled out patches to address the vulnerabilities, urging customers to apply updates without delay. The company has not disclosed whether it has evidence of confirmed intrusions but acknowledged the seriousness of the flaws given their potential impact.
VMware software is deeply embedded in enterprise infrastructure, powering data centers, cloud environments, and virtualized operations across industries ranging from finance to healthcare. A successful exploit could grant attackers administrative access within these virtual machines, paving the way for data theft, surveillance, or lateral movement within networks.
The case also illustrates the growing focus of state-sponsored actors on virtualization and cloud infrastructure. As organizations expand reliance on these technologies, threat groups are increasingly targeting them to gain long-term persistence and bypass traditional endpoint defenses.
The involvement of a China-linked group further highlights geopolitical dynamics influencing cyber operations. State-backed groups are known to prioritize vulnerabilities that deliver strategic access to sensitive corporate and government networks.
While Broadcom acted to close the vulnerabilities, the reported exploitation timeline suggests that UNC5174 and possibly other actors may already have achieved their objectives. The full scope of the compromise remains uncertain, but industry analysts warn that organizations could be facing risks long after patches are applied if attackers established persistence.
Administrators are advised to immediately deploy the available patches, review system logs for unusual activity, and strengthen monitoring of VMware environments for signs of privilege escalation attempts.
