Chinese state hackers may be using VMWare Tools flaw to hack US systems - so patch now, CISA warns

Recently-patched Broadcom flaw added to CISA's KEV

31 Oct 2025, 14:02 · TechRadar

News By Sead Fadilpašić published 31 October 2025

(Image credit: Shutterstock)

CISA added CVE-2025-41244 to KEV, mandating patching by November 20
The bug enables local privilege escalation via VMware Tools with SDMP enabled
Chinese group UNC5174 exploited it for espionage targeting Western and Asian institutions

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new Broadcom bug to its Known Exploited Vulnerabilities (KEV) catalog, warning Federal Civilian Executive Branch (FCEB) agencies about in-the-wild abuse.

The bug in question is a local privilege escalation vulnerability affecting VMware Aria Operations and VMWare tools. According to the NVD, a malicious local actor with non-administrative privileges having access to a VM with VMWare Tools installed and managed by Aria Operations with SDMP enabled may exploit it to escalate privileges to root on the same VM.

The bug is tracked as CVE-2025-41244, and was given a severity score of 7.8/10 (high). Those looking for a fix for Windows 32-bit should seek out VMWare Tools 12.4.9, part of VMWare Tools 12.5.4. For Linux, there is a version of open-vm-tools that will be distributed by Linux vendors.

Chinese attackers

By adding it to KEV, CISA gave FCEB agencies a three-week deadline to apply the patch (which was published roughly a month ago) or stop using the vulnerable products entirely. The deadline is November 20.

At the same time, security researchers are saying that the bug was being leveraged by Chinese state-sponsored criminals for roughly a year now. In fact, NVISO claims that a group tracked as UNC5174 has been using it since mid-October 2024, and even released proof-of-concept (POC) code to demonstrate how it could be leveraged, BleepingComputer reports.

According to Google Mandiant, UNC5174 was hired by China’s Ministry of State Security (MSS) to obtain access to US defense contractors, UK government agencies, and different Asian institutions.

In late 2024, Chinese state-sponsored threat actors abused multiple zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices to access French government agencies, as well as numerous commercial entities such as telcos, finance, and transportation organizations. The attacks were attributed to a group tracked as Houken which, researchers claimed, bears many similarities to UNC5174.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors