Subj : Chinese state hackers may be using VMWare Tools flaw to hack US s To : All From : TechnologyDaily Date : Fri Oct 31 2025 14:15:09 Chinese state hackers may be using VMWare Tools flaw to hack US systems - so patch now, CISA warns Date: Fri, 31 Oct 2025 14:02:00 +0000 Description: A recently patched Broadcom flaw was added to CISA's KEV, warning FCEB agencies about abuse in the wild. FULL STORY ======================================================================CISA added CVE-2025-41244 to KEV, mandating patching by November 20 The bug enables local privilege escalation via VMware Tools with SDMP enabled Chinese group UNC5174 exploited it for espionage targeting Western and Asian institutions The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new Broadcom bug to its Known Exploited Vulnerabilities (KEV) catalog, warning Federal Civilian Executive Branch (FCEB) agencies about in-the-wild abuse. The bug in question is a local privilege escalation vulnerability affecting VMware Aria Operations and VMWare tools. According to the NVD, a malicious local actor with non-administrative privileges having access to a VM with VMWare Tools installed and managed by Aria Operations with SDMP enabled may exploit it to escalate privileges to root on the same VM. The bug is tracked as CVE-2025-41244, and was given a severity score of 7.8/10 (high). Those looking for a fix for Windows 32-bit should seek out VMWare Tools 12.4.9, part of VMWare Tools 12.5.4. For Linux, there is a version of open-vm-tools that will be distributed by Linux vendors. Chinese attackers By adding it to KEV, CISA gave FCEB agencies a three-week deadline to apply the patch (which was published roughly a month ago) or stop using the vulnerable products entirely. The deadline is November 20. At the same time, security researchers are saying that the bug was being leveraged by Chinese state-sponsored criminals for roughly a year now. In fact, NVISO claims that a group tracked as UNC5174 has been using it since mid-October 2024, and even released proof-of-concept (POC) code to demonstrate how it could be leveraged, BleepingComputer reports. According to Google Mandiant, UNC5174 was hired by Chinas Ministry of State Security (MSS) to obtain access to US defense contractors, UK government agencies, and different Asian institutions. In late 2024, Chinese state-sponsored threat actors abused multiple zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices to access French government agencies , as well as numerous commercial entities such as telcos, finance, and transportation organizations. The attacks were attributed to a group tracked as Houken which, researchers claimed, bears many similarities to UNC5174. Via BleepingComputer Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button! And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too. ====================================================================== Link to news story: https://www.techradar.com/pro/security/chinese-state-hackers-may-be-using-vmwa re-tools-flaw-to-hack-us-systems-so-patch-now-cisa-warns --- Mystic BBS v1.12 A49 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .