Ethical Hacking News
A new zero-day exploit discovered in VMware products by Chinese hackers could be a major threat to virtualized environments worldwide. A vulnerability in the VMware Tools software can be exploited by an attacker with non-administrative privileges on a VM running VMware Cloud Foundation or vSphere Foundation, allowing them to gain elevated access to the system. This is not the first time this year that VMware has been targeted by hackers, and cybersecurity experts are urging organizations to take immediate action to patch their systems and ensure robust security controls.
VMware products are vulnerable to a new zero-day exploit (CVE-2025-41244) that can be used by attackers to gain elevated access to virtual machines. The vulnerability affects several versions of VMware Cloud Foundation and vSphere Foundation, including Windows and Linux. The attack vector involves the use of a malicious binary located at \"/tmp/httpd\" and exploits a function called \"get_version()\" in the VMware Tools software. No patch is yet available for this vulnerability, and organizations are urged to take immediate action to patch their systems. The threat actor behind this exploit is linked to China-linked threat actors known as UNC5174 (Uteus), which has a track record of exploiting various security flaws. Cybersecurity experts are warning organizations to stay vigilant and monitor their systems closely due to the use of broad-matching patterns in regex functions that can bypass security controls.
Threat actors are once again taking advantage of a newly discovered vulnerability in VMware products, leaving many organizations worried about the potential for cyber attacks. The latest zero-day exploit affects several versions of VMware Cloud Foundation and vSphere Foundation, including 4.x, 5.x, 9.x.x.x, 13.x.x.x (Windows, Linux), VMware Aria Operations 8.x, and VMware Tools 11.x.x, 12.x.x, and 13.x.x (Windows, Linux). This is not the first time this year that VMware has been targeted by hackers, as a similar zero-day exploit was discovered in February.
The vulnerability in question, CVE-2025-41244, is a local privilege escalation bug that can be exploited by an attacker to gain elevated access to a virtual machine (VM) running VMware Cloud Foundation or vSphere Foundation. The attack vector involves the use of a malicious binary located at "/tmp/httpd" and exploits a function called "get_version()" in the VMware Tools software.
According to NVISO Labs, a cybersecurity firm that discovered the vulnerability, the attackers are likely to be using the newly discovered zero-day exploit as part of their tactics to gain unauthorized access to vulnerable systems. The attack vector involves the use of a malicious binary located at "/tmp/httpd" and exploits a function called "get_version()" in the VMware Tools software.
"The broad practice of mimicking system binaries (e.g., httpd) highlights the real possibility that several other malware strains have accidentally been benefiting from unintended privilege escalations for years," said NVISO researcher Maxime Thiebaut. The researcher warned that this vulnerability can be exploited by an attacker with non-administrative privileges on a VM running VMware Cloud Foundation or vSphere Foundation, and noted that no patch is yet available.
The threat actor behind this zero-day exploit has been linked to China-linked threat actors known as UNC5174 (also referred to as Uteus), which has a track record of exploiting various security flaws to obtain initial access to target environments. This group was responsible for several high-profile attacks in the past, including exploits of Ivanti and SAP NetWeaver.
"We can however not assess whether this exploit was part of UNC5174's capabilities or whether the zero-day's usage was merely accidental due to its trivialness," said NVISO researcher Maxime Thiebaut. He warned that the use of broad-matching patterns in regex functions has allowed attackers to bypass security controls, and called for organizations to take immediate action to patch their systems.
VMware has confirmed the vulnerability and released an advisory warning its customers about the exploit. The company also noted that VMware Tools 12.4.9, which is part of VMware Tools 12.5.4, remediates the issue for Windows 32-bit systems, while a version of open-vm-tools that addresses CVE-2025-41244 will be distributed by Linux vendors.
In light of this new zero-day exploit, cybersecurity experts are urging organizations to take immediate action to patch their VMware products and ensure that they have robust security controls in place to prevent unauthorized access to sensitive data. The use of broad-matching patterns in regex functions has allowed attackers to bypass security controls, and it is essential for organizations to stay vigilant and monitor their systems closely.
Related Information:
https://www.ethicalhackingnews.com/articles/New-VMware-Zero-Day-Vulnerability-Exposed-A-Global-Threat-to-Virtualized-Environments-ehn.shtml
https://thehackernews.com/2025/09/urgent-china-linked-hackers-exploit-new.html
https://www.bleepingcomputer.com/news/security/chinese-hackers-exploiting-vmware-zero-day-since-october-2024/
Published: Tue Sep 30 10:27:46 2025 by llama3.2 3B Q4_K_M
