VMware Zero-Day Vulnerability: Active Exploitation and Implications
Introduction to CVE-2025-41244
Security researchers have recently identified a concerning zero-day vulnerability in VMware products, known as CVE-2025-41244. This vulnerability has reportedly been exploited by state-sponsored threat actors from China for nearly a year. The discovery highlights significant risks associated with specific VMware software, drawing attention from both cybersecurity experts and organizations reliant on these technologies.
Details of the Vulnerability
CVE-2025-41244 has been rated as a 7.8 on the CVSS (Common Vulnerability Scoring System), indicating its critical nature. It affects several versions of VMware’s Aria Operations, VMware Tools, VMware Cloud Foundation, VMware Telco Cloud Platform, and VMware Telco Cloud Infrastructure. This local privilege escalation vulnerability allows attackers with non-administrative privileges to potentially gain root access on a virtual machine (VM) where VMware Tools are installed and managed by Aria Operations, provided that Software Development Management Platform (SDMP) is enabled.
How the Exploit Works
A malicious actor with access to a vulnerable VM can leverage this exploit to escalate their privileges. The implications of such access could lead to significant security breaches within an organization, making the prompt remediation of this vulnerability essential.
Timeline of Discovery
The exploit was initially observed by NVISO researchers in May 2025. However, their blog post reveals that they first identified signs of it being actively exploited in mid-October 2024. The researchers communicated their findings to Broadcom, VMware’s parent company, within two days of confirming the exploitation in a controlled lab environment.
Connection to Threat Actor UNC5174
NVISO has attributed the ongoing exploitation of this vulnerability to a group known as UNC5174, recognized for their affiliation with Chinese state-sponsored hacking activities. This group typically acquires initial access through the public exploitation of vulnerabilities, illustrating an evolving threat landscape.
NVISO’s threat researcher, Maxime Thiebaut, remarked on the complexities of determining the intent behind the exploit, suggesting that its simplicity may lead to unintentional escalations by various malware strains over time. The potential for accidental exploitation underscores the necessity for heightened vigilance in security practices.
Affected VMware Versions
Broadcom has outlined the specific VMware products affected by CVE-2025-41244. Below are some of the critical components and their respective versions:
VMware Products and Versions
| Product | Component | Version | Running On | Fixed Version |
|---|---|---|---|---|
| VMware Cloud Foundation | VMware Cloud Foundation Operations | 9.x.x.x | Any | 9.0.1.0 |
| VMware vSphere Foundation | 9.x.x.x | Any | 9.0.1.0 | |
| VMware Tools | 13.x.x.x | Windows, Linux | 13.0.5.0 | |
| VMware Aria Operations | 8.x | Any | 8.18.5 | |
| VMware Tools | N/A | 12.x.x, 11.x.x | Windows, Linux | 12.5.4 |
| VMware Cloud Foundation | VMware Aria Operations | 5.x, 4.x | Any | KB92148 |
| VMware Telco Cloud Platform | VMware Aria Operations | 5.x, 4.x | Any | 8.18.5 |
| VMware Telco Cloud Infrastructure | VMware Aria Operations | 3.x, 2.x | Any | 8.18.5 |
These details underscore the critical need for organizations that utilize these VMware products to apply patches and updates promptly to secure their systems.
Conclusion
As cyber threats continue to evolve, the discovery of vulnerabilities such as CVE-2025-41244 serves as a crucial reminder for organizations to continually assess and strengthen their cybersecurity defenses. The ongoing exploitation by a state-backed threat actor like UNC5174 not only highlights the risks associated with software vulnerabilities but also emphasizes the importance of timely updates and security practices in safeguarding resources. Businesses using affected VMware products must act swiftly to mitigate potential risks and vulnerabilities.
