A newly listed VMware zero-day vulnerability has been actively exploited by Chinese state-sponsored threat actors for almost a year, according to security researchers.
The vulnerability, CVE-2025-41244, was reported to VMware parent Broadcom by NVISO researchers, who published a blog on September 29 detailing the in-the-wild exploitation. Broadcom also addressed the vulnerability in an advisory published the same day.
The 7.8-rated local privilege escalation vulnerability affects specific versions of VMware Aria Operations, VMware Tools, VMware Cloud Foundation, VMware Telco Cloud Platform and VMware Telco Cloud Infrastructure.
VMware vulnerability CVE-2025-41244 could be exploited by a malicious local actor with non-administrative privileges and access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled. The threat actor could potentially escalate privileges to root on the VM.
VMware Vulnerability CVE-2025-41244 Linked to UNC5174
NVISO first detected evidence of the exploit in May 2025, although the blog post by threat researcher and incident responder Maxime Thiebaut said the company has identified zero-day exploitation in the wild beginning in mid-October 2024. The company disclosed the vulnerability to Broadcom two days after identifying the zero-day and reproducing it in a lab environment.
NVISO attributes the exploit to UNC5174, a Chinese state-sponsored threat actor known for obtaining initial access through public exploitation.
“While NVISO identified these vulnerabilities through its UNC5174 incident response engagements, the vulnerabilities’ trivialness and adversary practice of mimicking system binaries (T1036.005) do not allow us to determine with confidence whether UNC5174 willfully achieved exploitation,” said Thiebaut, who noted that the exploit could have been “merely accidental due to its trivialness.”
“The broad practice of mimicking system binaries (e.g., httpd) highlight the real possibility that several other malware strains have accidentally been benefiting from unintended privilege escalations for years,” Thiebaut wrote.
VMware Aria Operations is proprietary, but VMware Tools are available as the open-source open-vm-tools, which is included with many Linux distributions. Thiebaut based his CVE-2025-41244 analysis on the open-source component, and he also published a Proof-of-Concept (PoC) exploit.
Affected VMware Versions
According to Broadcom, affected versions and fixed versions include:
| Product | Component | Version | Running On | Fixed Version |
| VMware Cloud Foundation | VMware Cloud Foundation Operations | 9.x.x.x | Any | 9.0.1.0 |
| VMware vSphere Foundation | ||||
| VMware Cloud Foundation | VMware Tools | 13.x.x.x | Windows, Linux | 13.0.5.0 |
| VMware vSphere Foundation | ||||
| VMware Aria Operations | VMware Aria Operations | 8.x | Any | 8.18.5 |
| VMware Tools | N/A | 13.x.x | Windows, Linux | 13.0.5 |
| VMware Tools | N/A | 12.x.x, 11.x.x | Windows, Linux | 12.5.4 |
| VMware Cloud Foundation | VMware Aria Operations | 5.x, 4.x | Any | KB92148 |
| VMware Telco Cloud Platform | VMware Aria Operations | 5.x, 4.x | Any | 8.18.5 |
| VMware Telco Cloud Infrastructure | VMware Aria Operations | 3.x, 2.x | Any | 8.18.5 |
