- Broadcom Patches CVE-2025-41244, an escalation of high severity VMware privilege
- Chinese actor UNC5174 operated the bug using malicious binaries in paths like / TMP / HTTPD
- UNC5174 previously targeting the French government and the commercial sectors using Ivanti CSA vulnerabilities
Broadcom has corrected high severity vulnerability affecting its Aria VMware operations and VMware tools that have been used as a zero day in real world attacks.
In a new security notice, the company revealed to have set a vulnerability of local climbing of privileges which allowed a local user with limited access to a virtual machine to become root (if VMware tools and ARIA operations – with activated SDMP – operated on this virtual machine). The bug is now followed under the name of CVE-2025-41244 and has received a gravity score of 7.8 / 10 (high).
Those looking for a 32-bits Windows fix must look for VMware 12.4.9 tools, part of VMware 12.5.4 tools. For Linux, there is a version of the open-VM tools that will be distributed by Linux suppliers.
UNC5174 accused
The opinion also mentions a pair of other vulnerabilities that have been fixed, but it does not mention any abuse in the will.
Bleeping CompomputeHowever, identified a distinct report by NVISO cybersecurity researchers, who not only confirmed it, but also published a concept proof (POC) which demonstrates how threat actors could exploit the bug to degenerate privileges on compromise systems.
They were also Chinese actors sponsored by the State, the actors taking advantage of this bug: “To abuse this vulnerability, an unavied local attacker can stage a malicious binary in one of the regular expression paths largely by correspondence. A simple common location, abused in nature by a UNC5174, East / TMP / HTTPD”, said Nvisio in a report.
UNC5174 is a known player sponsored by the Chinese state. This summer, it was reported that the group targeted French government agencies at the end of 2024, as well as many commercial entities such as telecommunications, finance and transport organizations.
At the time, the French National Agency for Information Systems Security (ANSSI) noted that threat actors abused three security vulnerabilities in Ivanti CSA devices: CVE-2024-8963, CVE-2024-9380 and CVE-2024-8190.
