Chinese hackers have been exploiting an undisclosed vulnerability in VMware since October 2024, which permitted them to stealthily infiltrate systems and take over completely. This means they could execute commands and do whatever they wanted on the machine.
I have used VMware before for testing, and I always perceived it to be secure. Clearly trusted software can have vulnerabilities, and some are severe and potentially dangerous such as this.
They have:
• Hacked in to U.S. defense contractors
• Attacked government networks in the UK and Asia
• Exploited vulnerabilities in other popular software, such as F5 BIG-IP and ScreenConnect.
Other Chinese hackers attacked SAP servers in the U.S. and UK.
• VMware Aria Operations (with credentials)
• VMware Tools (without credentials)
You should consider updating your software now. Hackers already understand how to utilize this flaw. There is also public code that shows how to do this.
If I was in charge of VMware, I would ask, and then do:
• Quickly update.
• Look at the logs for suspicious files in /tmp/httpd and check for suspicious connected system locations.
• Store backups safely, just in case.
10 minutes of updating the software is far better spent than recovering from a hacker incident.
I have used VMware before for testing, and I always perceived it to be secure. Clearly trusted software can have vulnerabilities, and some are severe and potentially dangerous such as this.
So what is the actual bug?
- It is CVE-2025-41244.
- It is found in both VMware Aria Operations and VMware Tools.
- The exploit allows a privilege escalation from a normal user account to root (full admin) access and control.
How does this occur?
Hackers can:- Place a fake in a folder that VMware checks.
- Then trick VMware into loading that file.
- Then take control of root access.
Who are these attackers?
The events were initiated by a group known as UNC5174, which is connected with China.They have:
• Hacked in to U.S. defense contractors
• Attacked government networks in the UK and Asia
• Exploited vulnerabilities in other popular software, such as F5 BIG-IP and ScreenConnect.
Other Chinese hackers attacked SAP servers in the U.S. and UK.
What actions did VMware (Broadcom) take?
Broadcom issued a patch on September 30, 2025, for the flaw they found in the software. They said it applied to:• VMware Aria Operations (with credentials)
• VMware Tools (without credentials)
You should consider updating your software now. Hackers already understand how to utilize this flaw. There is also public code that shows how to do this.
My perspective
This vulnerability is alarming because VMware is utilized broadly, from smaller businesses to large companies to governments. Hackers taking a normal account and turning it into root gives them total control of the system.If I was in charge of VMware, I would ask, and then do:
• Quickly update.
• Look at the logs for suspicious files in /tmp/httpd and check for suspicious connected system locations.
• Store backups safely, just in case.
Conclusion
So the bad news is that Chinese hackers have been exploiting a VMware zero-day vulnerability since October of this year. The vulnerability (CVE-2025-41244) gives them complete access to user control of an entire system's operation as their own. The good news is that Broadcom has patched the vulnerability, but the update must be done sooner rather than later.10 minutes of updating the software is far better spent than recovering from a hacker incident.