Broadcom patched a **high-severity privilege escalation vulnerability (CVE-2025-41244)** in **VMware Aria Operations** and **VMware Tools**, actively exploited since **October 2024** by **UNC5174**, a **Chinese state-sponsored threat actor** linked to China’s Ministry of State Security (MSS). The flaw allows an **unprivileged local attacker** to escalate privileges to **root-level code execution** by staging a malicious binary in paths like `/tmp/httpd` and exploiting VMware’s service discovery mechanism. UNC5174, known for selling network access to **U.S. defense contractors, UK government entities, and Asian institutions**, previously exploited **CVE-2023-46747 (F5 BIG-IP)**, **CVE-2024-1709 (ConnectWise ScreenConnect)**, and **CVE-2025-31324 (SAP NetWeaver)**.The vulnerability poses a **critical risk** as it enables **full system compromise**, potentially allowing attackers to **move laterally across networks**, **steal sensitive data**, or **deploy additional malware**. While no **direct data breach or ransomware** was confirmed in this case, the exploitation by a **state-backed APT group** suggests **espionage or pre-positioning for future attacks**. Broadcom also patched **two other high-severity VMware NSX flaws** reported by the **NSA**, indicating a broader pattern of **targeted cyber operations** against enterprise infrastructure.
TPRM report: https://www.rankiteo.com/company/broadcom
"id": "bro4592445093025",
"linkid": "broadcom",
"type": "Vulnerability",
"date": "6/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Software/Cloud Infrastructure',
'location': 'United States (Global Operations)',
'name': 'Broadcom (VMware)',
'size': 'Large Enterprise',
'type': 'Technology Corporation'},
{'industry': 'Defense',
'location': 'United States',
'name': 'U.S. Defense Contractors (via UNC5174 access '
'sales)',
'type': 'Private/Government Contractors'},
{'industry': 'Public Sector',
'location': 'United Kingdom',
'name': 'UK Government Entities (via UNC5174 access '
'sales)',
'type': 'Government'},
{'industry': 'Multiple Sectors',
'location': 'Asia',
'name': 'Asian Institutions (via UNC5174 access sales)',
'type': 'Government/Private'},
{'customers_affected': 'Hundreds (per February 2024 '
'attacks)',
'industry': 'Multiple Sectors',
'location': 'United States, Canada',
'name': 'U.S. and Canadian Institutions (via '
'CVE-2024-1709 exploitation)',
'type': 'Multiple'}],
'attack_vector': ['Local',
'Malicious Binary Staging',
'Service Discovery Abuse'],
'customer_advisories': 'Broadcom urged customers to apply patches '
'immediately; no detailed advisory provided in the '
'article.',
'date_detected': '2024-05-01',
'date_publicly_disclosed': '2024-11-05',
'description': 'Broadcom has patched a high-severity privilege escalation '
'vulnerability (CVE-2025-41244) in its VMware Aria Operations '
'and VMware Tools software, exploited in zero-day attacks '
'since October 2024. The vulnerability allows unprivileged '
'local attackers to escalate privileges to root-level code '
'execution by staging a malicious binary in broadly-matched '
'regex paths (e.g., /tmp/httpd). The attacks have been linked '
'to the Chinese state-sponsored threat actor UNC5174, a '
"contractor for China's Ministry of State Security (MSS). "
'NVISO released a proof-of-concept exploit demonstrating the '
"flaw's exploitation.",
'impact': {'brand_reputation_impact': 'High (zero-day exploitation by '
'state-sponsored actor, multiple '
'high-profile vulnerabilities in 2024)',
'operational_impact': 'Potential root-level code execution on '
'vulnerable VMs, leading to full system '
'compromise',
'systems_affected': ['VMware Aria Operations (credential-based '
'mode)',
'VMware Tools (credential-less mode)']},
'initial_access_broker': {'backdoors_established': 'Likely (based on '
"UNC5174's history of "
'selling network access)',
'data_sold_on_dark_web': 'Yes (UNC5174 known for '
'selling access to '
'compromised networks)',
'entry_point': ['Exploitation of CVE-2025-41244 '
'(privilege escalation via '
'/tmp/httpd)',
'Previous exploits: CVE-2023-46747 '
'(F5 BIG-IP), CVE-2024-1709 '
'(ConnectWise ScreenConnect), '
'CVE-2025-31324 (NetWeaver Visual '
'Composer)'],
'high_value_targets': ['U.S. defense contractors',
'UK government entities',
'Asian institutions',
'Critical infrastructure '
'(UK/US via SAP NetWeaver '
'attacks)']},
'investigation_status': 'Ongoing (patch released; threat actor activity under '
'monitoring)',
'lessons_learned': '1. State-sponsored actors like UNC5174 are increasingly '
'exploiting zero-day vulnerabilities in enterprise '
'software (VMware, F5 BIG-IP, ConnectWise, SAP) for '
'espionage and financial gain. 2. Privilege escalation '
'vulnerabilities in widely used tools (e.g., VMware Aria '
'Operations) can lead to full system compromise if left '
'unpatched. 3. Collaboration with threat intelligence '
'firms (NVISO, Mandiant, Microsoft) is critical for timely '
'detection and mitigation. 4. Regular patching of '
'high-severity vulnerabilities reported by entities like '
'NSA and Microsoft Threat Intelligence is essential to '
'prevent exploitation.',
'motivation': ['Espionage',
'Financial Gain (selling network access)',
'Cyber Warfare'],
'post_incident_analysis': {'corrective_actions': ['Broadcom released patches '
'for CVE-2025-41244 and '
'related VMware NSX '
'vulnerabilities.',
'NVISO published PoC to aid '
'detection and mitigation.',
'Organizations advised to '
'audit VMware environments '
'for signs of exploitation '
'(e.g., suspicious '
'/tmp/httpd binaries).',
'Enhanced monitoring for '
'UNC5174 TTPs (tactics, '
'techniques, procedures) '
'across enterprise '
'software.'],
'root_causes': ['Privilege escalation '
'vulnerability in VMware service '
'discovery mechanism (broad regex '
'path matching).',
'Insufficient validation of '
'unprivileged user processes '
'opening listening sockets.',
'Delayed public disclosure of '
'in-the-wild exploitation (attacks '
'began in October 2024; '
'patch/report in November 2024).',
'Reuse of exploit techniques '
'across multiple vulnerabilities '
'(e.g., CVE-2023-46747, '
'CVE-2024-1709) by UNC5174.']},
'recommendations': ["Immediately apply Broadcom's patches for CVE-2025-41244 "
'and related VMware vulnerabilities.',
'Monitor for suspicious binary staging in paths like '
'/tmp/httpd or other broadly-matched regex locations.',
'Restrict unprivileged user access to critical service '
'discovery mechanisms in VMware environments.',
'Deploy behavioral detection rules for privilege '
'escalation attempts via service abuse (e.g., listening '
'sockets opened by unprivileged processes).',
'Conduct threat hunting for indicators of UNC5174 '
'activity, including backdoors or sold access '
'credentials.',
'Review and harden VMware Aria Operations and Tools '
'configurations, especially in credential-less modes.',
'Monitor dark web markets for potential sales of network '
'access linked to UNC5174 or similar actors.'],
'references': [{'date_accessed': '2024-11-05', 'source': 'BleepingComputer'},
{'date_accessed': '2024-11-04',
'source': 'NVISO Research (Maxime Thiebaut)'},
{'source': 'Google Mandiant (UNC5174 Analysis)'},
{'date_accessed': '2024-11-05',
'source': 'Broadcom Security Advisory for CVE-2025-41244'},
{'source': 'Microsoft Threat Intelligence (VMware Zero-Days, '
'March 2024)'}],
'response': {'containment_measures': ['Patch release for CVE-2025-41244',
'Previous patches for CVE-2025-22224, '
'CVE-2025-22225, CVE-2025-22226 (March '
'2024)',
'NSX vulnerabilities patched (November '
'2024)'],
'incident_response_plan_activated': 'Yes (Broadcom patch '
'release)',
'third_party_assistance': ['NVISO (vulnerability reporting and '
'PoC)',
'Google Mandiant (threat actor '
'analysis)']},
'threat_actor': 'UNC5174 (Chinese state-sponsored, linked to Ministry of '
'State Security - MSS)',
'title': 'Broadcom Patches High-Severity VMware Aria Operations and VMware '
'Tools Privilege Escalation Vulnerability (CVE-2025-41244) Exploited '
'by UNC5174',
'type': ['Privilege Escalation', 'Zero-Day Exploit'],
'vulnerability_exploited': 'CVE-2025-41244 (VMware Aria Operations and VMware '
'Tools Privilege Escalation)'}