Broadcom has patched the CVE-2025-41244 vulnerability. A good thing indeed as exploits had been occurring since October of last year, researchers note.
The vulnerability affects VMware Tools and VMware Aria Operations. These management layers inside the VMware solution proved susceptible to privilege escalation and root-level code execution. In the wrong hands, this bug could lead to major problems. VMware Tools gave users elevated privileges when searching binaries for component versions. This allowed attackers to activate binaries that did not belong to the managed systems.
Pseudo-exploits?
Nviso, a security company focused on pentesting and incident response, discovered that the China-backed attacker UNC5174 exploited the bug. It is noteworthy that it is unclear whether this was intentional: after all, the use of malicious binaries also occurs in other contexts. VMware’s tooling unintentionally picked up these binaries and granted higher privileges, but it is not known whether this was actually an attack vector.
UNC5174 has already come under scrutiny from security researchers. Sysdig reported in April that this cyber group knows how to conceal itself by using open-source tooling such as VShell. Thankfully, the analyst spotlight shines brightly on the threat actor. Between the Sysdig and Nviso reports, WhoisXML API unveiled the “DNS underbelly” of the collective, making it easier to spot it in the wild.
However, according to Nviso, the behavior of the VMware tooling is concerning enough that various malware variants may have taken advantage of it. Fortunately, exploitation of CVE-2025-41244 is “easily detected,” according to Nviso analyst Maxime Thiebaut.
Score
The vulnerability received a CVSS score of 7.8, or “high.” As usual, we should note that these scores rarely correspond to the actual severity of an exploit. In any case, a patch is available to fix the problem. Organizations should be aware that lateral movements via the elevated privileges may already have taken place.