Campaign
Exploitation Wave
Vulnerability
UNC5174 VMware privilege-escalation activity
Updated 31.10.2025 09:09
Case score 59
Score breakdown
- Total
- 59
- Lead score
- 56
- Support bonus
- +3 / 20
- Scoring support
- 1
- Context members
- 1
Top contributors
- Campaign Anchors the UNC5174 exploitation activity against CVE-2025-41244 and establishes the baseline score. base
- Vulnerability Confirms the same CVE and product scope, plus vendor patching and KEV remediation context. context
- Exploitation Wave Adds the same-CVE exploitation-wave evidence, including the /tmp/httpd staging method, proof-of-concept detail, and attribution to UNC5174. support
Case score 59
Members 3
Latest activity 31.10.2025 09:09
Active exploitation
Public PoC/exploit reported
KEV: CISA KEV
Patch available
Active exploitation
Public PoC/exploit reported
KEV: CISA KEV
Patch available
Members 3
First seen 30.09.2025 13:57
Last seen 01.10.2025 12:25
Updated 31.10.2025 09:09
Overview
UNC5174 is exploiting **CVE-2025-41244** against **VMware Aria Operations** and **VMware Tools** to move from local access to **root** on affected virtual machines. The activity has been active since October 2024 and uses malicious binaries staged in **/tmp/httpd** plus VMware service-discovery behavior to trigger privilege escalation.
Broadcom and Linux vendors have released fixes, including updates for VMware environments and **open-vm-tools**. CISA added the flaw to the **Known Exploited Vulnerabilities** catalog and set **November 20, 2025** as the federal remediation deadline, while available evidence does not quantify how many organizations were affected.
UNC5174 has been exploiting **CVE-2025-41244** to escalate privileges on VMware-managed virtual machines and reach **root** on affected systems. The abuse stages a malicious binary in **/tmp/httpd** and relies on VMware service-discovery logic that can treat user-writable paths as trusted inputs, turning a local foothold into full control of the same VM. NVISO tied the activity to UNC5174 and said the exploitation has continued since October 2024, with a proof-of-concept showing how the flaw can be abused on vulnerable systems.
Broadcom said **VMware Aria Operations** and **VMware Tools** are affected, and the same issue also reaches **open-vm-tools** deployments that use the same discovery path. Broadcom and Linux vendors have released fixes, including product updates for VMware environments and vendor-provided **open-vm-tools** remediation. Defenders should hunt for uncommon child processes, suspicious binaries, and lingering discovery artifacts such as **/tmp/httpd**. CISA added **CVE-2025-41244** to its Known Exploited Vulnerabilities catalog and set **November 20, 2025** as the federal remediation deadline.