You are currently viewing China-Linked APT Exploits VMware Zero-Day Vulnerability Active Since October 2024

China-Linked APT Exploits VMware Zero-Day Vulnerability Active Since October 2024

  • Post author:
  • Reading time:4 mins read

A newly discovered and actively exploited local privilege escalation vulnerability in VMware Tools and Aria Operations, tracked as CVE-2025-41244, has been leveraged as a zero-day since mid-October 2024. The exploitation has been attributed to UNC5174, a China-linked advanced persistent threat (APT) group.

UNC5174

UNC5174 is a China-linked advanced threat actor that conducts targeted intrusions against enterprise virtualization and cloud infrastructure. The group focuses on gaining local footholds on virtual machines and rapidly escalating privileges to obtain root-level access. Operators commonly stage malicious binaries in writable system directories to evade detection, abuse service/version discovery logic to trigger execution, and spawn elevated shells for persistence and post-exploitation activity. UNC5174’s operations prioritize stealthy privilege escalation, lateral movement within virtualized environments, and long-term access to sensitive systems and data.

Vulnerability Details

CVE-2025-41244 is a local privilege escalation vulnerability affecting VMware Tools running on virtual machines managed by Aria Operations with SDMP (Service Discovery Management Pack) enabled.

An unprivileged local attacker can escalate privileges to root by exploiting how VMware matches process binaries using regex patterns. The flaw allows malicious users to stage binaries in writable directories like /tmp/, which can then be inadvertently executed by the system with elevated privileges.

  • CVSS Score: 7.8 (High)
  • Discovered by: Maxime Thiebaut (NVISO), on May 19, 2025, during incident response

Root Cause

The issue lies in the get_version() function used by Aria Operations to detect software versions. It uses regex patterns to identify matching binaries for processes with open sockets.

The problem originates from the use of a broad-matching regex character class (\S), which unintentionally matches non-system binaries such as /tmp/httpd. Since the /tmp The directory is writable by default; attackers can place malicious binaries there. If the binary name matches the regex, Aria Operations will invoke it, potentially granting root-level access.

Impact & Exploit Potential

The exploit involves:

  1. Placing a malicious binary at /tmp/httpd.
  2. Ensuring it is executed by an unprivileged process that opens a socket.
  3. Triggering the regex match and version-check logic to run the binary as root.

This provides full privileged code execution, enabling attackers to:

  • Elevate from an unprivileged user to root
  • Install persistence mechanisms
  • Perform post-exploitation activity such as lateral movement or data collection

UNC5174 was observed using this method in real-world attacks to spawn a root shell.

Affected Products

The following VMware products and versions are affected by CVE-2025-41244:

  • VMware Tools: 11.x.x, 12.x.x, 13.x.x (Windows, Linux)
  • VMware Aria Operations: 8.x
  • VMware Cloud Foundation: 4.x, 5.x, 9.x.x.x, 13.x.x.x
  • VMware vSphere Foundation: 9.x.x.x, 13.x.x.x
  • VMware Telco Cloud Platform: 4.x, 5.x
  • VMware Telco Cloud Infrastructure: 2.x, 3.x

Mitigation & Recommendations

Broadcom (parent company of VMware) has issued security updates to remediate this vulnerability. The following versions fix the issue:

  • VMware Cloud Foundation: 9.0.1.0
  • VMware Tools: 13.0.5.0
  • VMware Tools: 12.5.4 (includes 12.4.9 for 32-bit Windows)
  • VMware Aria Operations: 8.18.5

For Linux distributions, an updated version of open-vm-tools will be made available via respective vendors.

Additional Recommendations:

  • Search for the presence of suspicious binaries in /tmp/, particularly /tmp/httpd
  • Monitor systems for unusual privilege escalations
  • Ensure SDMP configurations are reviewed and regex patterns are properly scoped
  • Apply least privilege access policies to reduce the attack surface

Indicators of Compromise

  • File Path: /tmp/httpd — used by UNC5174 as the location for staging the malicious binary
  • Behavioral Indicators: Unusual root shell access spawned from non-system binaries

Tactics, Techniques, and Procedures

UNC5174 leveraged standard privilege escalation tactics in this exploitation chain. The attack behavior aligns with the following MITRE ATT&CK techniques:

  • TA0004 – Privilege Escalation
    • T1068 – Exploitation for Privilege Escalation: Exploiting system/application vulnerabilities to gain elevated privileges

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.