The **CVE-2025-41244** vulnerability in **VMware Aria Operations and VMware Tools** (with SDMP enabled) was exploited by the **Chinese state-sponsored group UNC5174** for **espionage** targeting **Western and Asian institutions**, including **US defense contractors, UK government agencies, and Asian organizations**. The flaw allowed **local privilege escalation**, enabling attackers with non-admin access to a VM to gain **root privileges**, facilitating deeper system compromise. The **US Cybersecurity and Infrastructure Security Agency (CISA)** added it to the **Known Exploited Vulnerabilities (KEV) catalog**, mandating federal agencies to patch by **November 20, 2025**, or discontinue use. Evidence suggests **UNC5174 (linked to China’s Ministry of State Security)** had been abusing this flaw since **mid-2024**, alongside other zero-days in **Ivanti Cloud Services Appliance (CSA)** to breach **French government agencies, telcos, finance, and transportation sectors**. The exploitation risks **unauthorized access to sensitive defense, government, and corporate networks**, potentially leading to **data exfiltration, lateral movement, and long-term espionage**. While no direct **data breach or ransomware** was confirmed in this case, the **targeted nature of the attacks**—focusing on **high-value institutions**—poses severe **national security and economic risks** if left unpatched.
TPRM report: https://www.rankiteo.com/company/vmware
"id": "vmw2892328103125",
"linkid": "vmware",
"type": "Vulnerability",
"date": "6/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Public Sector',
'location': 'United States',
'name': 'Federal Civilian Executive Branch (FCEB) '
'Agencies (US)',
'type': 'Government'},
{'industry': 'Defense',
'location': 'United States',
'name': 'US Defense Contractors',
'type': 'Private Sector'},
{'industry': 'Public Sector',
'location': 'United Kingdom',
'name': 'UK Government Agencies',
'type': 'Government'},
{'location': 'Asia',
'name': 'Asian Institutions (unspecified)',
'type': ['Government', 'Private Sector']},
{'industry': 'Public Sector',
'location': 'France',
'name': 'French Government Agencies',
'type': 'Government'},
{'industry': ['Telecommunications',
'Financial Services',
'Transportation'],
'location': ['France', 'Global'],
'name': 'Commercial Entities (Telcos, Finance, '
'Transportation)',
'type': 'Private Sector'},
{'industry': 'Technology',
'location': 'Global',
'name': 'VMware (Broadcom)',
'size': 'Large Enterprise',
'type': 'Private Sector'}],
'attack_vector': ['Local', 'Privilege Escalation via VMware Tools with SDMP'],
'customer_advisories': ['VMware patch notifications',
'Security researcher disclosures (e.g., NVISO, '
'Mandiant)'],
'data_breach': {'data_exfiltration': ['Likely (espionage-focused)',
'No specific details provided']},
'date_detected': '2024-10-01',
'description': 'CISA added CVE-2025-41244 (a local privilege escalation '
'vulnerability in VMware Aria Operations and VMware Tools with '
'SDMP enabled) to its KEV catalog, mandating patching by '
'November 20, 2025. The vulnerability was exploited by Chinese '
'state-sponsored group UNC5174 for espionage targeting Western '
'and Asian institutions, including US defense contractors, UK '
'government agencies, and Asian organizations. The bug allows '
'a local non-administrative actor to escalate privileges to '
'root on a vulnerable VM. Proof-of-concept (POC) code was '
'released by NVISO, and the vulnerability has been actively '
'exploited since at least mid-October 2024.',
'impact': {'brand_reputation_impact': ['Potential reputational damage to '
'VMware',
'Trust erosion in affected '
'institutions'],
'operational_impact': ['Privilege escalation to root',
'Potential unauthorized access to sensitive '
'systems'],
'systems_affected': ['VMware Aria Operations',
'VMware Tools (with SDMP enabled)']},
'initial_access_broker': {'entry_point': ['VMware Tools with SDMP enabled',
'Local privilege escalation on '
'compromised VMs'],
'high_value_targets': ['US defense contractors',
'UK government agencies',
'French government agencies',
'Asian institutions'],
'reconnaissance_period': ['At least since '
'mid-October 2024 (per '
'NVISO)',
'Potentially longer (up '
'to a year, per '
'researchers)']},
'investigation_status': 'Ongoing (active exploitation reported as of late '
'2024)',
'lessons_learned': ['State-sponsored actors leverage zero-day vulnerabilities '
'for long-term espionage campaigns.',
'Timely patching is critical to mitigate exploitation, '
"especially for vulnerabilities added to CISA's KEV "
'catalog.',
'Collaboration between security researchers (e.g., NVISO, '
'Mandiant) and government agencies (e.g., CISA) is '
'essential for threat intelligence sharing.',
'Proof-of-concept (POC) code releases can accelerate both '
'defensive and offensive operations.'],
'motivation': ['Espionage', 'State-Sponsored Cyber Operations'],
'post_incident_analysis': {'corrective_actions': ['Mandatory patching '
'deadline (November 20, '
'2025) for FCEB agencies.',
'Public disclosure of POC '
'code to raise awareness '
'(NVISO).',
'Enhanced collaboration '
'between CISA, VMware, and '
'security researchers for '
'mitigation.'],
'root_causes': ['Unpatched vulnerability '
'(CVE-2025-41244) in VMware Aria '
'Operations and VMware Tools.',
'Insufficient monitoring for '
'privilege escalation attempts.',
'State-sponsored actors (UNC5174) '
'leveraging zero-day exploits for '
'espionage.']},
'recommendations': ['Immediately patch VMware Aria Operations and VMware '
'Tools to the latest versions (e.g., VMware Tools '
'12.4.9/12.5.4, open-vm-tools for Linux).',
'Disable SDMP in VMware Aria Operations if patching is '
'not immediately feasible.',
'Monitor systems for signs of privilege escalation or '
'unauthorized root access.',
'Conduct threat hunting for indicators of compromise '
'(IOCs) associated with UNC5174 or Houken.',
'Enhance logging and detection capabilities for VMware '
'environments, particularly those managed by Aria '
'Operations.',
'Review and update incident response plans to include '
'scenarios involving state-sponsored espionage.'],
'references': [{'source': 'CISA Known Exploited Vulnerabilities (KEV) Catalog',
'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog'},
{'source': 'BleepingComputer',
'url': 'https://www.bleepingcomputer.com'},
{'source': 'TechRadar', 'url': 'https://www.techradar.com'},
{'source': 'NVISO (Proof-of-Concept Release)'},
{'source': 'Google Mandiant (UNC5174 Analysis)'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA KEV catalog '
'inclusion (mandatory '
'patching deadline: '
'November 20, 2025)']},
'response': {'communication_strategy': ['CISA advisory via KEV catalog',
'Public disclosure by security '
'researchers (e.g., BleepingComputer, '
'TechRadar)'],
'containment_measures': ['Patching VMware Tools (12.4.9 for '
'Windows 32-bit, 12.5.4 for general; '
'open-vm-tools for Linux)',
'Disabling SDMP if patching is not '
'feasible'],
'enhanced_monitoring': ['Recommended for systems running VMware '
'Tools with SDMP'],
'incident_response_plan_activated': True,
'remediation_measures': ['Applying security updates by November '
'20, 2025 (CISA deadline)',
'Monitoring for signs of exploitation'],
'third_party_assistance': ['NVISO', 'Google Mandiant']},
'stakeholder_advisories': ['CISA KEV advisory',
'VMware security bulletin (implied)'],
'threat_actor': ['UNC5174', 'Houken (possibly linked)'],
'title': 'Exploitation of CVE-2025-41244 in VMware Aria Operations and VMware '
'Tools by UNC5174',
'type': ['Privilege Escalation', 'Espionage', 'Zero-Day Exploitation'],
'vulnerability_exploited': 'CVE-2025-41244'}