Chinese APT UNC5174 Exploits VMware Zero-Day for Widespread Privilege Escalation
Executive Summary
In October 2024, Chinese state-sponsored group UNC5174 began exploiting a zero-day vulnerability (CVE-2025-41244) affecting VMware Aria Operations and VMware Tools, enabling privilege escalation from unprivileged users to root on targeted virtual machines. The flaw, present in both credential-based and credential-less modes, allowed attackers to plant malicious binaries, gain root access, and ultimately compromise internal systems. This attack appears to be part of a wider campaign, with UNC5174 known for targeting critical infrastructure and selling access to compromised entities globally. Broadcom, which owns VMware, patched the vulnerability in September 2025 following an investigation by NVISO and Mandiant, but the exploit was active for nearly a year prior to disclosure.
This incident underscores the increasing frequency of sophisticated supply chain and virtualization platform attacks by well-resourced APTs, especially those linked to state interests. Security teams should be alert to the persistence of zero-day exploitation and trends in privilege escalation across hybrid and cloud infrastructure.
Why This Matters Now
UNC5174's exploitation of a VMware zero-day highlights the urgent need for organizations to prioritize patch management and internal segmentation, as attackers leverage privilege escalation in core infrastructure to reach sensitive assets. The recurrence of similar attacks on widely deployed platforms, coupled with the rise in advanced persistent threats, signals an ongoing shift in the threat landscape demanding immediate defensive reassessment.
Attack Path Analysis
The attack began when UNC5174 exploited the VMware Aria Operations and VMware Tools zero-day (CVE-2025-41244) to gain initial access to cloud workloads. Using the flaw, the adversary escalated privileges to achieve root-level execution within the environment. With elevated access, the attacker likely moved laterally to other internal systems through east-west pathways. They established command and control channels via covert outbound connections for persistent access and remote management. Data was exfiltrated from compromised systems through unmonitored outbound channels. Finally, the attacker may have used their access to disrupt operations, implant backdoors, or sell access to other threat actors.
Kill Chain Progression
Initial Compromise
Description
Exploited a local privilege escalation vulnerability (CVE-2025-41244) in VMware Aria Operations/Tools to execute a malicious binary and gain initial foothold on cloud-hosted VMs.
Related CVEs
CVE-2025-41244
CVSS 7.8A local privilege escalation vulnerability in VMware Aria Operations and VMware Tools allows a malicious local actor with non-administrative privileges to escalate privileges to root on the same VM.
Affected Products:
VMware Aria Operations – All versions prior to 8.10.2
VMware VMware Tools – All versions prior to 12.1.0
Exploit Status:
exploited in the wildCVE-2025-41245
CVSS 5.3An information disclosure vulnerability in VMware Aria Operations allows a malicious actor with non-administrative privileges to disclose credentials of other users.
Affected Products:
VMware Aria Operations – All versions prior to 8.10.2
Exploit Status:
no public exploitCVE-2025-41246
CVSS 6.5An improper authorization vulnerability in VMware Tools for Windows allows a malicious actor with non-administrative privileges on a guest VM to access other guest VMs.
Affected Products:
VMware VMware Tools for Windows – All versions prior to 12.1.0
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploitation for Privilege Escalation
User Execution
Command and Scripting Interpreter
Valid Accounts
Event Triggered Execution
Impair Defenses
Exploit Public-Facing Application
Process Injection
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Address Common Coding Vulnerabilities
Control ID: 6.5.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – Enforce Device Security and Patch Management
Control ID: Identity Pillar - Device Security
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Critical exposure to Chinese APT UNC5174 VMware zero-day exploitation targeting defense contractors and government entities, requiring immediate privilege escalation vulnerability remediation.
Defense/Space
High-risk sector directly targeted by UNC5174 Chinese state-sponsored attacks exploiting VMware infrastructure, compromising defense contractor networks since October 2024.
Information Technology/IT
VMware Aria Operations and Tools vulnerabilities create widespread privilege escalation risks across IT infrastructure, demanding urgent patching and zero trust segmentation implementation.
Health Care / Life Sciences
VMware infrastructure vulnerabilities threaten HIPAA compliance through potential privilege escalation attacks, requiring enhanced east-west traffic security and threat detection capabilities.
Sources
- Chinese hackers exploiting VMware zero-day since October 2024https://www.bleepingcomputer.com/news/security/chinese-hackers-exploiting-vmware-zero-day-since-october-2024/Verified
- VMware Aria Operations and VMware Tools updates address multiple vulnerabilitieshttps://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149Verified
- CISA Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-41244Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, inline anomaly detection, encrypted traffic controls, and strict egress policy enforcement would have constrained the attack at multiple stages, limiting lateral movement, detecting privilege escalation, and preventing data exfiltration. CNSF controls provide comprehensive cloud-native enforcement, isolating workloads, monitoring internal and outbound flows, and enabling rapid incident response.
Control: Inline IPS (Suricata)
Mitigation: Malicious exploit traffic would have been detected and potentially blocked in real time.
Control: Threat Detection & Anomaly Response
Mitigation: Unusual privilege escalation and process behavior would trigger anomaly alerts for rapid investigation.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation blocks unauthorized lateral movement between workloads based on strict identity and policy.
Control: Cloud Firewall (ACF)
Mitigation: Outbound malicious connections would be blocked or flagged for investigation.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized data transfers are detected and prevented through strict egress controls.
Anomalous post-exploitation behavior is rapidly detected for containment.
Impact at a Glance
Affected Business Functions
- IT Operations
- Data Management
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive user credentials and unauthorized access to critical systems.
Recommended Actions
Key Takeaways & Next Steps
- • Implement zero trust segmentation to restrict workload-to-workload communication and prevent lateral movement.
- • Deploy inline intrusion prevention and anomaly detection tools to identify and alert on privilege escalation and suspicious process activity.
- • Enforce comprehensive egress filtering with application- and identity-aware policy to block unauthorized outbound connections.
- • Ensure all sensitive traffic is encrypted in transit, leveraging high-performance encryption for all internal and external flows.
- • Regularly audit and monitor hybrid/multi-cloud environments using centralized visibility platforms for rapid threat detection and compliance.
