- BROADCOM PATCHES CVE-2025-41244, A High Severity VMware Privilege climber
- The Chinese actor UNC5174 exploded the error using malicious binaries on routes such as /TMP /HTTPD
- UNC5174 French government and commercial sectors previously attacked using Ivanti CSA vulnerabilities
Broadcom has poured high severity vulnerability that affects its VMware Aryan and VMware tools that apparently used as a zero day in real world attacks.
In a new security notice, the company revealed that it said that it set a vulnerability of local privileges that allowed a local user with limited access to a VM became root (if the VMware tools and the Aria operations, with enabled SDMP, were executed in that VM). The error is now tracked as CVE-2025-41244, and was given a gravity score of 7.8/10 (high).
Those looking for a solution for 32 -bit Windows should search VMware Tools 12.4.9, part of VMware Tools 12.5.4. For Linux, there is a version of the Open-VM tools that will be distributed by Linux suppliers.
UNC5174 accused
The notice also mentions a couple of other vulnerabilities that were solved, but does not mention any abuse in white.
BleepingcomputerHowever, he saw a separate report from Cybersecurity researchers Nviso, who not only confirmed it, but also published a proof of concept (POC) that demonstrates how threat actors could exploit the error to increase privileges in committed systems.
They also said that the Chinese actors sponsored by the State were the ones who took advantage of this error: “To abuse this vulnerability, a non -privileged local attacker can organize a malicious binary within any of the widely coincidental regular expression routes. A simple common location, abused in nature by UNC5174, IS /TMP /HTTPD,” said Nvisio in a report.
UNC5174 is a Chinese actor sponsored by the Chinese state. This summer, it was reported that the group attacked French government agencies at the end of 2024, as well as numerous commercial entities such as telecommunications, finance and transport organizations.
At that time, the French National Agency for the Safety of Information Systems (ANSSI) pointed out that threat actors abused three security vulnerabilities in Ivanti CSA: CVE-2024-8963, CVE-2024-9380 and CVE-2024-8190 devices.
