Broadcom patches VMware Zero-Day actively exploited by UNC5174
September 30, 2025 
Broadcom patched six VMware flaws, including CVE-2025-41244, which has been exploited in the wild as a zero-day since mid-October 2024 by UNC5174
Broadcom addressed six VMware vulnerabilities, including four high-severity issues. One of these flaws, tracked as CVE-2025-41244 (CVSS score 7.8), allows local users to escalate to root via VMware Tools and Aria Operations.
“VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. Broadcom has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.” reads the advisory. “A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.”
The vulnerability CVE-2025-41244 has been exploited in the wild as a zero-day since mid-October 2024 by the China-linked threat actor UNC5174.
“On September 29th, 2025, Broadcom disclosed a local privilege escalation vulnerability, CVE-2025-41244, impacting VMware’s guest service discovery features. NVISO has identified zero-day exploitation in the wild beginning mid-October 2024.” reads a report published by NVISO Labs. “Throughout its incident response engagements, NVISO determined with confidence that UNC5174 triggered the local privilege escalation. We can however not assess whether this exploit was part of UNC5174’s capabilities or whether the zero-day’s usage was merely accidental due to its trivialness. UNC5174, a Chinese state-sponsored threat actor, has repeatedly been linked to initial access operations achieved through public exploitation.”
The vulnerability impacts the following versions:
- VMware Cloud Foundation 4.x and 5.x
- VMware Cloud Foundation 9.x.x.x
- VMware Cloud Foundation 13.x.x.x (Windows, Linux)
- VMware vSphere Foundation 9.x.x.x
- VMware vSphere Foundation 13.x.x.x (Windows, Linux)
- VMware Aria Operations 8.x
- VMware Tools 11.x.x, 12.x.x, and 13.x.x (Windows, Linux)
- VMware Telco Cloud Platform 4.x and 5.x
- VMware Telco Cloud Infrastructure 2.x and 3.x
Broadcom also fixed an Information disclosure vulnerability, tracked as CVE-2025-41245, and an improper authorisation vulnerability, tracked as CVE-2025-41246, in VMware products. The patches were released for Aria Ops, Tools, Cloud, and Telco.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Broadcom)
Stephan is the sports journalist for the Maple Grove Report.
