Threat actors have actively exploited a zero-day vulnerability in Broadcom VMware Tools and VMware Aria Operations (CVE-2025-41244) in the wild. The China-linked group UNC5174 (aka Uteus/Uetus) has exploited the flaw for privilege escalation in VMware-targeted attacks. Continue reading this edition of the Cybersecurity Threat Advisory for actionable recommendations to protect your environment.
What is the threat?
CVE-2025-41244 affects multiple VMware products, including VMware Cloud Foundation (4.x, 5.x, 9.x.x.x, 13.x.x.x), VMware vSphere Foundation (9.x.x.x, 13.x.x.x), VMware Aria Operations (8.x), VMware Tools (11.x.x, 12.x.x, 13.x.x), VMware Telco Cloud Platform (4.x, 5.x), and VMware Telco Cloud Infrastructure (2.x, 3.x).
A malicious local actor with non-administrative privileges who has access to a VM with VMware Tools installed and managed by Aria Operations (with SDMP enabled) can exploit this vulnerability to escalate privileges to root on the same VM.
Why is it noteworthy?
The flaw has been exploited in the wild as a zero-day since October 2024, prior to the release of a patch. The activity is attributed to UNC5174, a sophisticated China-linked threat actor known for targeting high-profile vulnerabilities. Since this vulnerability affects a wide range of VMware products and versions commonly deployed in cloud environments, there is potential for widespread impact.
Notably, exploitation is trivial. The flaw stems from the get_version() function, which can be abused by placing a malicious binary in a writable directory (such as /tmp/httpd). When the metrics collection service is executed, this allows for local privilege escalation.
What is the exposure or risk?
This vulnerability enables unprivileged local users to gain root-level access on affected virtual machines, resulting in significant privilege escalation. Attackers who obtain initial access through other means, such as phishing or malware, can leverage this flaw to escalate privileges and move laterally within the environment. With root access, they can install persistent malware, exfiltrate sensitive data, or further compromise the environment. The fact that this vulnerability has been confirmed as actively exploited in the wild further increases the urgency for immediate remediation.
What are the recommendations?
Barracuda recommends the following actions to mitigate your risks:
- Update VMware Tools, Aria Operations, and all affected VMware products to the latest versions as soon as possible.
- Limit local user access to VMs and monitor for unauthorized accounts or privilege escalations.
- Monitor for suspicious binaries in writable directories (e.g., /tmp/httpd) and unexpected privilege escalations.
- Disable unnecessary services, restrict write access to sensitive directories, and review security policies.
- Isolate affected systems and initiate incident response procedures if exploitation is suspected.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/09/urgent-china-linked-hackers-exploit-new.html
- https://blog.nviso.eu/2025/09/30/vmware-zero-day-cve-2025-41244/
- https://nvd.nist.gov/vuln/detail/CVE-2025-41244/
- https://malpedia.caad.fkie.fraunhofer.de/actor/unc5174
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.