At TecnetOne, we want to keep you up to date with the most relevant cybersecurity threats that could affect your organization. That’s why today we’re bringing you details about a serious vulnerability recently patched in Broadcom VMware products, which has been actively exploited as a zero-day since October 2024 by a threat group known as UNC5174.
The security flaw, identified as CVE-2025-41244, has a CVSS score of 7.8, classifying it as a high-severity vulnerability. It’s a local privilege escalation bug, meaning that once inside the system, an attacker could elevate their permissions and take full control of the affected environment.
This flaw impacts multiple versions of widely used VMware products in enterprise environments, across both Windows and Linux systems:
-
VMware Cloud Foundation: 4.x, 5.x, 9.x.x.x, 13.x.x.x
-
VMware vSphere Foundation: 9.x.x.x, 13.x.x.x
-
VMware Aria Operations: 8.x
-
VMware Tools: 11.x.x, 12.x.x, and 13.x.x
-
VMware Telco Cloud Platform: 4.x and 5.x
-
VMware Telco Cloud Infrastructure: 2.x and 3.x
The broad range of affected versions highlights the potential risk for organizations that have not yet applied the necessary security patches.
How the Exploit Works and What an Attacker Needs to Abuse the Vulnerability
According to Maxime Thiebaut, a security researcher at NVISO, exploiting this vulnerability isn’t as difficult as it may seem. A local, non-privileged attacker can place a malicious binary in a system path that matches VMware’s service discovery search patterns. One of the most common and easy-to-abuse locations (and one that has already been used by the UNC5174 group) is the temporary folder /tmp/httpd.
“For VMware to detect that malicious binary as part of its service discovery system, it’s enough for the file to be executed by an unprivileged user and to open at least one listening socket—even a random one,” Thiebaut explained.
As part of their analysis, NVISO also released a proof-of-concept (PoC) exploit demonstrating how CVE-2025-41244 can be used to escalate privileges on systems running vulnerable versions of:
-
VMware Aria Operations (credential-based mode)
-
VMware Tools (credential-less mode)
This exploit shows that an attacker can execute code with root privileges within the virtual machine, representing a severe risk if security updates are not applied.
Read more: What is Third-Party Patch Management?
Who Is UNC5174 and Why Is It a Real Threat?
In the world of cybersecurity, the name UNC5174 has quickly gained notoriety. According to analysts at Google Mandiant, this group is linked to China’s Ministry of State Security (MSS) and is believed to operate as a contractor conducting highly targeted cyber espionage operations.
Over the past few years, UNC5174 has been highly active. In late 2023, researchers observed the group compromising networks belonging to U.S. defense contractors, U.K. government entities, and institutions across Asia, later selling access to those networks. In many of these attacks, they exploited a critical vulnerability in F5 BIG-IP devices (CVE-2023-46747), which allowed for remote code execution.
But that was just the beginning. In February 2024, the group made headlines again by exploiting the CVE-2024-1709 vulnerability in ConnectWise ScreenConnect, enabling them to breach hundreds of organizations across the U.S. and Canada.
More recently, in May 2025, UNC5174 was identified as the actor behind attacks that exploited a critical unauthenticated file upload vulnerability (CVE-2025-31324) in SAP NetWeaver Visual Composer, allowing them to execute malicious code on vulnerable servers.
And they haven’t acted alone. Other China-linked threat groups—such as Chaya_004, UNC5221, and CL-STA-0048—joined the campaign, targeting over 580 SAP NetWeaver instances, including critical systems in both the U.K. and the U.S.
UNC5174’s activity also coincides with a series of severe vulnerabilities discovered in VMware products. In fact, Broadcom recently patched two critical flaws in VMware NSX reported by the National Security Agency (NSA). And in March, three zero-day vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) were patched—all actively exploited, according to Microsoft’s Threat Intelligence Center.
Conclusion: What Can You Do to Protect Yourself?
The attacks carried out by UNC5174 and other state-linked Chinese groups serve as a clear reminder that cybersecurity is no longer optional—it’s essential. Vulnerabilities like CVE-2025-41244, exploited in secret for months, show how even the most robust environments can be exposed if action isn’t taken swiftly.
At TecnetOne, we recommend taking proactive steps—don’t wait for a headline-grabbing security alert to react.
Key Recommendations:
-
Apply all available patches: Ensure your VMware systems are updated with the latest versions. Broadcom has already released the necessary patches for this and other recent vulnerabilities.
-
Scan your infrastructure for suspicious activity: Use monitoring tools like TecnetOne’s SOC to detect anomalous behavior, unauthorized binaries, and unusual outbound connections.
-
Isolate vulnerable environments: If you can't patch immediately, implement network controls to limit access to critical services.
-
Implement a least-privilege policy: Reduce your attack surface by limiting user and service permissions. Many of these attacks rely on misconfigured or unrestricted accounts.
-
Evaluate your detection and response tools (EDR/XDR): Make sure you have solutions in place that can identify real-time attacks, including zero-day exploits and APT activity.
-
Conduct regular security audits: Frequently assess your systems and policies. It’s not enough to be protected today—you need to stay protected every day.
In short, these types of attacks don’t only affect large corporations or governments—any organization using vulnerable software is at risk. Being informed, acting quickly, and maintaining a strong cybersecurity strategy can be the difference between a secure network and a catastrophic breach.