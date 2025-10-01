Vulnerability Management, Patch/Configuration Management, Threat Intelligence

VMware zero-day leveraged in Chinese attacks for almost a year

Chinese state-sponsored threat actor UNC5174, also known as Uteus or Uetus, has been launching intrusions leveraging the recently addressed high-severity VMware Tools and VMware Aria Operations zero-day, tracked as CVE-2025-41244, since October 2024, reports The Hacker News.

Active exploitation of the local privilege escalation vulnerability, which stems from the "get_version()" functionality, has allowed UNC5174 to stage an illicit binary at "/tmp/httpd", resulting in an elevated root shell and code execution, according to an analysis from NVISO Labs researcher Maxime Thiebaut, who identified and disclosed the security issue.

"The broad practice of mimicking system binaries (e.g., httpd) highlights the real possibility that several other malware strains have accidentally been benefiting from unintended privilege escalations for years," said Thiebaut.

VMware, which has already released fixes for the flaw, noted that VMware Cloud Foundation 4.x and 5.x, VMware Cloud Foundation 4.x and 5.x, VMware Cloud Foundation 13.x.x.x for Windows and Linux, VMware vSphere Foundation 9.x.x.x, VMware vSphere Foundation 13.x.x.x for Windows and Linux, VMware Aria Operations 8.x, VMware Tools 11.x.x, 12.x.x, and 13.x.x for Windows and Linux, VMware Telco Cloud Platform 4.x and 5.x, and VMware Telco Cloud Infrastructure 2.x and 3.x are impacted by the flaw.

