{"id":127833,"date":"2025-10-02T01:25:39","date_gmt":"2025-10-01T19:55:39","guid":{"rendered":"https:\/\/www.techworm.net\/?p=127833"},"modified":"2025-10-02T01:25:39","modified_gmt":"2025-10-01T19:55:39","slug":"chinese-hackers-exploit-vmware-zero-day-for-a-year","status":"publish","type":"post","link":"https:\/\/www.techworm.net\/2025\/10\/chinese-hackers-exploit-vmware-zero-day-for-a-year.html","title":{"rendered":"Chinese Hackers Exploit VMware Zero-Day For A Year"},"content":{"rendered":"

A serious security flaw in widely used VMware software has been actively exploited in the wild for almost a year, with cybersecurity researchers attributing the campaign to a Chinese state-sponsored hacking group.<\/p>\n

Broadcom, the company that owns VMware, has released patches for the bug, tracked as CVE-2025-41244<\/a>, a local privilege escalation (LPE) affecting VMware Aria Operations\u2019 Service Discovery Management Pack (SDMP) and VMware Tools (open-vm-tools).<\/p>\n

The flaw (CVSS score: 7.8) allows attackers with limited access inside a virtual machine (VM) to gain full administrator (root) privileges. Once inside, hackers take full control of VMs to run malicious code, steal data, or install backdoors to maintain long-term access.<\/p>\n

Exploited Since October 2024<\/strong>\u00a0<\/strong><\/p>\n

Cybersecurity firm NVISO claims it has found evidence that the zero-day vulnerability was exploited in the wild starting in mid-October 2024, well before a patch was available. The attacks were attributed to UNC5174, a China-linked group that Google\u2019s Mandiant believes works as a contractor for the country\u2019s Ministry of State Security.<\/p>\n

UNC5174 has a history of exploiting newly discovered software vulnerabilities. In the past, they have been linked to targeting research and education institutions, businesses, charities, NGOs, and government organizations in Southeast Asia, the U.S., and the UK.<\/p>\n

How The Exploit Works<\/strong><\/p>\n

At the heart of the issue is VMware\u2019s service discovery feature, which scans VMs to see which programs are running. Those scans use broad pattern matching to find program names that, researchers found, can be tricked into mistaking a malicious program for a legitimate one.<\/p>\n

All an attacker needs to do is place a fake program in a temporary folder \u2014 for example, disguising it as \/tmp\/httpd<\/em> (a common web server binary name). When the VMware scanner runs, it may think the fake program is the real service and unknowingly execute the attacker\u2019s code with elevated privileges. That\u2019s all it takes to get full control.<\/p>\n

\u201cAs simple as it sounds \u2014 you name it, VMware elevates it,\u201d said NVISO researcher Maxime Thiebaut, who reported<\/a> the flaw to Broadcom in May 2025.<\/p>\n

Affected Versions<\/strong><\/p>\n

The versions that are affected by the\u00a0CVE-2025-41244 vulnerability are: VMware Cloud Foundation 4.x and 5.x, VMware Cloud Foundation 9.x.x.x, VMware Cloud Foundation 13.x.x.x (Windows, Linux), VMware vSphere Foundation 9.x.x.x, VMware vSphere Foundation 13.x.x.x (Windows, Linux), VMware Aria Operations 8.x, VMware Tools 11.x.x, 12.x.x, and 13.x.x (Windows, Linux), VMware Telco Cloud Platform 4.x and 5.x, and VMware Telco Cloud Infrastructure 2.x and 3.x.<\/p>\n

What It Means For Organizations<\/strong>\u00a0<\/strong><\/p>\n

Since this is a local escalation privilege vulnerability, attackers first need a foothold on a virtual machine. Once inside, however, the bug makes it easy to gain root access.<\/p>\n

NVISO warns that not only the Chinese-linked group UNC5174 but possibly other malware may have exploited this weakness for years. The company even released a proof-of-concept (PoC) exploit to demonstrate how quickly attackers can gain root access.<\/p>\n

Broadcom\u2019s Response<\/strong><\/p>\n

\u00a0<\/strong>Broadcom has now patched the flaw across multiple VMware products, including:<\/p>\n