from randomname@scribe.disroot.org to cybersecurity@infosec.pub on 06 Oct 05:40
https://scribe.disroot.org/post/4925455
cross-posted from: scribe.disroot.org/post/4925454
Broadcom has patched a high-severity privilege escalation vulnerability in its VMware Aria Operations and VMware Tools software, which has been exploited in zero-day attacks since October 2024.
While the American technology giant didn’t tag this security bug (CVE-2025-41244) as exploited in the wild, it thanked NVISO threat researcher Maxime Thiebaut for reporting the bug in May.
However, yesterday, the European cybersecurity company disclosed that this vulnerability was first exploited in the wild beginning mid-October 2024 and linked the attacks to the UNC5174 Chinese state-sponsored threat actor.
“To abuse this vulnerability, an unprivileged local attacker can stage a malicious binary within any of the broadly-matched regular expression paths. A simple common location, abused in the wild by UNC5174, is /tmp/httpd,” Thiebaut explained.
“To ensure the malicious binary is picked up by the VMware service discovery, the binary must be run by the unprivileged user (i.e., show up in the process tree) and open at least a (random) listening socket.”
NVISO also released a proof-of-concept exploit that demonstrates how attackers can exploit the CVE-2025-41244 flaw to escalate privileges on systems running vulnerable VMware Aria Operations (in credential-based mode) and VMware Tools (in credential-less mode) software, ultimately gaining root-level code execution on the VM.
…
threaded - newest