Broadcom has packed the vulnerability to increase a high-severity privilege in its VMWARE ARIA operation and VMware tools software, which has been exploited in zero-day attacks since October 2024.
While American technology giants did not tag this security bug (Cve-2025-41244) As is exploited in the wild, it Thanks NVISO Danger Researcher Maxime Thiebaut To report bug in May.
However, yesterday, the European Cyber Security Company revealed that the vulnerability was first exploited in the wild initial initial in mid-October 2024 and the attacks were linked to the UNC5174 Chinese state-proposed danger actor.
“To misuse this vulnerability, an unpublished local attacker can staging a malicious binary within any of the widely matched regular expression paths. A simple common place, which is abused in the wild by UNC5174, is /TMP /httpd,” Thiebaut explained,
“To ensure that the malicious binary is raised by the discovery of VMWARE service, the binary should be run by unexpected user (ie, showing in the tree of the process) and opening at least (random) listening sockets.”
NVISO also issued a proof-of-concept exploitation, showing how attackers can exploit CVE-2025-41244 defects so that weak VMWARE ARIA operations (in credential-based mode) and vmware tools (in credensible-level mode) to increase specialized vm to get special hon less Route-level code can be obtained.
A spokesperson of Broadcom did not immediately provide comments on the contact by Bleepingcomputer today.
Who is UnC5174?
Google Mandient Security Analyst, who believes that UnC5174 is a contractor for the Chinese State Security Ministry (MSS), has seen the actor with danger Selling access to US defense contractors’ networkAfter the UK government institutions, and Asian institutions, F5-IP CVE-2023-46747 remote code execution vulnerabilities at the end of 2023.
In February 2024, it also exploited Cve-2024-1709 ConnectWise Schenconnect Flaw To dissolve hundreds of we and Canadian institutions.
Earlier this year, in May, UNC5174 was also linked to the in-walled exploitation of the CVE-2025-31324 informal file uploading defects that enable the attackers to achieve remote code execution on the weaker networks visual music servers.
Other Chinese danger actors (eg, Chaya_004, UNC5221, and CL-STA-0048) also joined this wave of attacks, 580 SAP Netwever examples include backdoring, including a significant infrastructure in the United Kingdom and the United States.
On Monday, Broadcom also packed two high-seriousness VMware NSX weaknesses mentioned by the US National Security Agency (NSA).
In March, the company actively exploited three other actively exploitation of the Microsoft Danger Reported by the Microsoft Danger (CVE-2025-222224, CVE-2025-22225, and CVE-2025-22226).
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
