Full Report
Broadcom has patched a high-severity privilege escalation vulnerability in its VMware Aria Operations and VMware Tools software, which has been exploited in zero-day attacks since October 2024. [...]
Analysis Summary
# Vulnerability: VMware Privilege Escalation Flaw Exploited by Chinese Hackers
## CVE Details
- CVE ID: CVE-2025-41244
- CVSS Score: [Score not explicitly provided, but described as high-severity] (High)
- CWE: [Not explicitly detailed, likely related to Improper Access Control or Command Injection based on description]
## Affected Systems
- Products: VMware Aria Operations (in credential-based mode), VMware Tools (in credential-less mode)
- Versions: Not explicitly specified, but pre-patch versions are vulnerable.
- Configurations: Specific impact noted for Aria Operations (credential-based) and Tools (credential-less).
## Vulnerability Description
This is a high-severity vulnerability allowing privilege escalation. An unprivileged local attacker can exploit this flaw by staging a malicious binary within paths matched by a broadly-matched regular expression used by affected VMware services. The successful exploitation requires the unprivileged user to run the malicious binary (to appear in the process tree) and have that binary open at least one listening socket. Successful exploitation leads to root-level code execution on the Virtual Machine.
## Exploitation
- Status: Exploited in the wild (since mid-October 2024) by the state-sponsored threat actor UNC5174.
- Complexity: Low (based on the description requiring staging a binary in a common location like `/tmp/httpd`).
- Attack Vector: Local
## Impact
- Confidentiality: High (Implied due to gaining root access)
- Integrity: High (Implied due to gaining root access/code execution)
- Availability: High (Implied due to gaining root access/code execution)
## Remediation
### Patches
- Patches have been released by Broadcom for the affected VMware Aria Operations and VMware Tools software. (Specific patch versions are not detailed in the source text.)
### Workarounds
- No specific workarounds were detailed in the provided summary, other than applying the patch.
## Detection
- Indicators of compromise: Presence of unexpectedly executed binaries (e.g., in `/tmp/httpd`) run by an unprivileged user that subsequently open listening network sockets.
- Detection methods and tools: Monitoring for unexpected binary execution in common temporary directory paths combined with network activity initiated by those processes.
## References
- Vendor Advisory: hxxps://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149
- Research/PoC: hxxps://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/
- Related Threat Intelligence (UNC5174): hxxps://cloud.google.com/blog/topics/threat-intelligence/initial-access-brokers-exploit-f5-screenconnect
- Related Threat Intelligence (UNC5174): hxxps://cloud.google.com/blog/topics/threat-intelligence/connectwise-screenconnect-hardening-remediation