Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Chinese Hackers Exploit VMware Zero-Day Vulnerability for Over a Year


Chinese hackers have been exploiting a zero-day vulnerability in VMware Aria Operations and VMware Tools software since October 2024, according to NVISO threat researcher Maxime Thiebaut. This vulnerability has been linked to the UNC5174 Chinese state-sponsored threat actor and allows an unprivileged local attacker to stage a malicious binary within any of the broadly-matched regular expression paths.

  • Chinese hackers have been exploiting a zero-day vulnerability in VMware Aria Operations and VMware Tools software since October 2024.
  • The vulnerability, CVE-2025-41244, has been linked to the UNC5174 Chinese state-sponsored threat actor.
  • An unprivileged local attacker can stage a malicious binary within any of the broadly-matched regular expression paths using this vulnerability.
  • Exploitation of the flaw has been linked to various malicious activities, including breaches of US defense contractors, UK government entities, and Asian institutions.
  • Broadcom recently patched a high-severity privilege escalation vulnerability in its VMware Aria Operations and VMware Tools software.



    • Chinese hackers have been exploiting a zero-day vulnerability in VMware Aria Operations and VMware Tools software since October 2024, according to a recent disclosure by NVISO threat researcher Maxime Thiebaut. The vulnerability, identified as CVE-2025-41244, has been linked to the UNC5174 Chinese state-sponsored threat actor, which is known for its involvement in various high-profile cyberattacks in recent years.

    The zero-day vulnerability allows an unprivileged local attacker to stage a malicious binary within any of the broadly-matched regular expression paths. This can be achieved by running a malicious binary by an unprivileged user and opening at least a random listening socket, according to Thiebaut. The NVISO threat researcher also released a proof-of-concept exploit that demonstrates how attackers can exploit the flaw to escalate privileges on systems running vulnerable VMware Aria Operations (in credential-based mode) and VMware Tools (in credential-less mode).

    The exploitation of this zero-day vulnerability has been linked to various malicious activities, including the breach of networks of U.S. defense contractors, UK government entities, and Asian institutions in late 2023. In February 2024, UNC5174 also exploited the CVE-2024-1709 ConnectWise ScreenConnect flaw to breach hundreds of U.S. and Canadian institutions.

    In addition to these recent attacks, other Chinese threat actors such as Chaya_004, UNC5221, and CL-STA-0048 have also joined in this wave of attacks, backdooring over 580 SAP NetWeaver instances, including critical infrastructure in the United Kingdom and the United States. This highlights the ongoing threat posed by state-sponsored hackers who are actively exploiting zero-day vulnerabilities to compromise various organizations.

    Broadcom has recently patched a high-severity privilege escalation vulnerability in its VMware Aria Operations and VMware Tools software, which had been exploited since October 2024. The company thanked NVISO threat researcher Maxime Thiebaut for reporting the bug in May. However, it is worth noting that while Broadcom did not initially acknowledge the exploitation of this vulnerability, they have now taken steps to address the issue.

    In other recent news related to cybersecurity threats, Microsoft warned of a high-severity flaw in hybrid Exchange deployments, and VMware Certification Is Surging in a Shifting IT Landscape was reported. CISA also warned of critical Linux Sudo flaws exploited in attacks, and CISA ordered agencies to patch Cisco flaws exploited in zero-day attacks.

    In conclusion, the exploitation of a zero-day vulnerability in VMware Aria Operations and VMware Tools software by Chinese hackers since October 2024 is a worrying trend that highlights the ongoing threat posed by state-sponsored hackers. It is essential for organizations to take proactive measures to address this vulnerability and ensure their systems are protected against such attacks.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Chinese-Hackers-Exploit-VMware-Zero-Day-Vulnerability-for-Over-a-Year-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/chinese-hackers-exploiting-vmware-zero-day-since-october-2024/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-41244

  • https://www.cvedetails.com/cve/CVE-2025-41244/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-1709

  • https://www.cvedetails.com/cve/CVE-2024-1709/

  • https://thehackernews.com/2025/05/china-linked-apts-exploit-sap-cve-2025.html

  • https://cybersecuritynews.com/chinese-hackers-exploit-sap-rce-vulnerability/

  • https://thehackernews.com/2025/09/unc5221-uses-brickstorm-backdoor-to.html

  • https://cybersecurefox.com/en/kimsuky-apt-group-hacked-activists-state-cyber-operations/


    • Published: Tue Sep 30 12:24:11 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us