- Broadcom patches CVE-2025-41244, a high-severity VMware privilege escalation zero-day
- Chinese language actor UNC5174 exploited the bug utilizing malicious binaries in paths like /tmp/httpd
- UNC5174 beforehand focused French authorities and business sectors utilizing Ivanti CSA vulnerabilities
Broadcom has patched a high-severity vulnerability affecting its VMware Aria Operations and VMware Instruments that was apparently used as a zero-day in real-world assaults.
In a brand new safety advisory, the corporate revealed mentioned it mounted an area privilege escalation vulnerability which allowed an area consumer with restricted entry to a VM to turn into root (if VMWare Instruments and Aria Operations – with SDMP enabled – have been working on that VM). The bug is now tracked as CVE-2025-41244, and was given a severity rating of seven.8/10 (excessive).
These in search of a repair for Home windows 32-bit ought to hunt down VMWare Instruments 12.4.9, a part of VMWare Instruments 12.5.4. For Linux, there’s a model of open-vm-tools that might be distributed by Linux distributors.
UNC5174 accused
The advisory additionally mentions a pair of different vulnerabilities that have been mounted, but it surely doesn’t point out any in-the-wild abuse.
BleepingComputer, nonetheless, noticed a separate report from cybersecurity researchers NVISO, who not solely confirmed it, but in addition launched a proof-of-concept (PoC) that demonstrates how menace actors would possibly exploit the bug to escalate privileges on compromised techniques.
In addition they mentioned that Chinese language state-sponsored actors have been those leveraging this bug: “To abuse this vulnerability, an unprivileged native attacker can stage a malicious binary inside any of the broadly-matched common expression paths. A easy widespread location, abused within the wild by UNC5174, is /tmp/httpd,” NVISIO mentioned in a report.
UNC5174 is a identified Chinese language state-sponsored actor. This summer time, it was reported that the group focused French authorities companies in late 2024, in addition to quite a few business entities reminiscent of telcos, finance, and transportation organizations.
Again then, the French Nationwide Company for the Safety of Data Techniques (ANSSI) famous menace actors have been abusing three safety vulnerabilities in Ivanti CSA units: CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190.
