A serious security flaw in widely used VMware software has been actively exploited in the wild for almost a year, with cybersecurity researchers attributing the campaign to a Chinese state-sponsored hacking group.
Broadcom, the company that owns VMware, has released patches for the bug, tracked as CVE-2025-41244, a local privilege escalation (LPE) affecting VMware Aria Operationsโ Service Discovery Management Pack (SDMP) and VMware Tools (open-vm-tools).
The flaw (CVSS score: 7.8) allows attackers with limited access inside a virtual machine (VM) to gain full administrator (root) privileges. Once inside, hackers take full control of VMs to run malicious code, steal data, or install backdoors to maintain long-term access.
Exploited Since October 2024ย
Cybersecurity firm NVISO claims it has found evidence that the zero-day vulnerability was exploited in the wild starting in mid-October 2024, well before a patch was available. The attacks were attributed to UNC5174, a China-linked group that Googleโs Mandiant believes works as a contractor for the countryโs Ministry of State Security.
UNC5174 has a history of exploiting newly discovered software vulnerabilities. In the past, they have been linked to targeting research and education institutions, businesses, charities, NGOs, and government organizations in Southeast Asia, the U.S., and the UK.
How The Exploit Works
At the heart of the issue is VMwareโs service discovery feature, which scans VMs to see which programs are running. Those scans use broad pattern matching to find program names that, researchers found, can be tricked into mistaking a malicious program for a legitimate one.
All an attacker needs to do is place a fake program in a temporary folder โ for example, disguising it as /tmp/httpd (a common web server binary name). When the VMware scanner runs, it may think the fake program is the real service and unknowingly execute the attackerโs code with elevated privileges. Thatโs all it takes to get full control.
โAs simple as it sounds โ you name it, VMware elevates it,โ said NVISO researcher Maxime Thiebaut, who reported the flaw to Broadcom in May 2025.
Affected Versions
The versions that are affected by theย CVE-2025-41244 vulnerability are: VMware Cloud Foundation 4.x and 5.x, VMware Cloud Foundation 9.x.x.x, VMware Cloud Foundation 13.x.x.x (Windows, Linux), VMware vSphere Foundation 9.x.x.x, VMware vSphere Foundation 13.x.x.x (Windows, Linux), VMware Aria Operations 8.x, VMware Tools 11.x.x, 12.x.x, and 13.x.x (Windows, Linux), VMware Telco Cloud Platform 4.x and 5.x, and VMware Telco Cloud Infrastructure 2.x and 3.x.
What It Means For Organizationsย
Since this is a local escalation privilege vulnerability, attackers first need a foothold on a virtual machine. Once inside, however, the bug makes it easy to gain root access.
NVISO warns that not only the Chinese-linked group UNC5174 but possibly other malware may have exploited this weakness for years. The company even released a proof-of-concept (PoC) exploit to demonstrate how quickly attackers can gain root access.
Broadcomโs Response
ย Broadcom has now patched the flaw across multiple VMware products, including:
- VMware Tools (Windows & Linux)
- VMware Aria Operations 8.x
- VMware Cloud Foundation versions 4.x through 13.x
- VMware Telco Cloud Platform and Infrastructure
Recommendations
To stay protected, organizations should apply Broadcomโs patches immediately and closely monitor systems for unusual child processes launched by VMware services. Security teams are also advised to harden temporary directories, such as restricting writes to /tmp, and to limit both network and user access to guest VMs, reducing the chances of attackers gaining an initial foothold.
Why It Matters
The VMware flaw underscores how even small oversights can become powerful tools for attackers. With active exploitation already confirmed, fast patching, system monitoring, and limiting attacker entry points are critical to keep virtual environments secure.
