Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability

A newly patched high-severity VMware vulnerability has been exploited as a zero-day since October 2024 for code execution with elevated privileges, NVISO Labs reports. According to NVISO, which was credited for the find, a Chinese state-sponsored threat actor tracked as UNC5174 has been exploiting the bug for a year. UNC5174 was recently linked to an attack on cybersecurity firm SentinelOne. Noting that successful exploitation of CVE-2025-41244 allows unprivileged users to execute code with root privileges, NVISO warns that the open-source variant of VMware Tools, namely open-vm-tools, which is included in major Linux distributions, is also impacted. UNC5174, NVISO notes, has been exploiting the security weakness by placing malicious binaries in the /tmp/httpd folder. To be elevated, the binaries are executed with low privileges and open a random listening socket.

To read the complete article see: SecurityWeek