CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

UNC5174 Exploits VMware Zero-Day Privilege Escalation Since October 2024

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A China-linked threat actor, UNC5174, has been exploiting a zero-day privilege escalation vulnerability in VMware products since mid-October 2024. The flaw, CVE-2025-41244, affects multiple VMware products and allows local attackers to escalate privileges to root on affected virtual machines. The vulnerability was discovered in May 2025 and patched in VMware Tools 12.4.9 and later versions. The flaw is rooted in the get_version() function, which can be exploited by placing a malicious binary in a writable directory. UNC5174 has been observed using this method to gain elevated access and execute code on compromised systems. The exact payload and nature of the attacks remain unclear. Broadcom has confirmed the patch for the vulnerability in VMware Aria Operations and VMware Tools. NVISO released a proof-of-concept exploit demonstrating privilege escalation on vulnerable VMware software. UNC5174 has been linked to previous attacks on U.S. defense contractors, UK government entities, and Asian institutions, exploiting vulnerabilities such as F5 BIG-IP CVE-2023-46747 and ConnectWise ScreenConnect flaw.

Timeline

  1. 30.09.2025 13:57 2 articles · 6h ago

    UNC5174 Exploits VMware Zero-Day Privilege Escalation Since October 2024

    Broadcom has confirmed the patch for the vulnerability in VMware Aria Operations and VMware Tools. NVISO released a proof-of-concept exploit demonstrating privilege escalation on vulnerable VMware software. UNC5174 has been linked to previous attacks on U.S. defense contractors, UK government entities, and Asian institutions, exploiting vulnerabilities such as F5 BIG-IP CVE-2023-46747 and ConnectWise ScreenConnect flaw.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

Open in new tab

TA415 (APT41) Abuses Velociraptor Forensic Tool for C2 Tunneling via Visual Studio Code

Unknown threat actors, identified as TA415 (APT41), deployed the open-source Velociraptor forensic tool to download and execute Visual Studio Code, likely for command-and-control (C2) tunneling. The attack leveraged legitimate software and Windows utilities to minimize malware deployment and maintain a foothold in the target environment. The attackers used Cloudflare Workers domains for staging and additional payloads, and the incident highlights the evolving tactics of threat actors using legitimate tools for malicious purposes. The attack began with the use of the Windows msiexec utility to download an MSI installer from a Cloudflare Workers domain. Velociraptor was then used to establish contact with another Cloudflare Workers domain, facilitating the download and execution of Visual Studio Code with tunneling capabilities. This allowed for remote access and code execution, potentially leading to further malicious activities such as ransomware deployment. The phishing campaign targeted US government, think tank, and academic organizations involved in US-China relations, economic policy, and international trade. The attackers impersonated the US-China Business Council and John Moolenaar, Chair of the Select Committee on Strategic Competition between the US and the Chinese Communist Party. The phishing messages contained links to password-protected archives hosted on cloud services, which included a shortcut (LNK) file and a hidden subfolder. Launching the LNK file executed a batch script that downloaded the VSCode Command Line Interface (CLI) from Microsoft’s servers, created a scheduled task for persistence, and established a VS Code remote tunnel authenticated via GitHub. The script also collected system information and the contents of various user directories, sending it to the attackers. The script sent a VS Code remote tunnel verification code, allowing the attackers to access the victim’s computer remotely and execute arbitrary commands. The incident underscores the importance of monitoring for unauthorized use of legitimate tools and implementing robust endpoint detection and response systems to mitigate such threats.

Open in new tab

Chinese State-Sponsored Actors Target Global Critical Infrastructure

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group and a newly identified group named RedNovember, have been conducting sustained campaigns to compromise critical infrastructure networks worldwide. The campaigns aim to gain long-term access to telecommunications, government, transportation, lodging, and military networks. This activity has been detailed in a joint advisory by CISA, NSA, FBI, and international partners, including Canada, Australia, New Zealand, the UK, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain. The advisory provides intelligence on tactics used by these actors and recommends mitigations to strengthen defenses. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has issued a warning instructing critical infrastructure organizations to avoid using Chinese technology or transferring user data to servers located in China. The agency has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a 'High' level. The NUKIB has confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The advisory highlights concerns over the transfer of system and user data to China, potentially misused by state, military, or political interests. The Czech government previously accused China of targeting its critical infrastructure through APT 31, an allegation denied by the PRC but condemned by the US, EU, and NATO. The advisory suggests that individuals and organizations consider restricting or prohibiting the use of products and services that transfer data to China. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The threat actors have exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks devices to gain initial access and have modified routers to maintain persistent access and pivot into other networks. The advisory also notes that the APT actors may target other devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc. RedNovember has targeted perimeter appliances of high-profile organizations globally, including defense and aerospace organizations, space organizations, and law firms. The group has breached at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia. RedNovember has used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions, along with the Spark RAT and LESLIELOADER. The group has also used VPN services like ExpressVPN and Warp VPN to administer and connect to servers used for exploitation and communication.

Open in new tab

Erlang/OTP SSH RCE Exploits Targeting OT Firewalls

A surge in exploitation of CVE-2025-32433, a critical security flaw in Erlang/OTP SSH, has been observed since May 2025. Approximately 70% of these exploits target operational technology (OT) firewalls. This vulnerability, patched in April 2025, allows attackers to execute arbitrary code on vulnerable systems without authentication. The attacks have primarily affected healthcare, agriculture, media, entertainment, and high technology sectors in the U.S., Canada, Brazil, India, Australia, Japan, the Netherlands, Ireland, and France. The exploitation involves using reverse shells to gain unauthorized remote access to target networks. The specific threat actors behind these efforts remain unidentified. The flaw is due to improper state enforcement in the Erlang/OTP SSH daemon, allowing unauthenticated clients to execute commands by sending SSH connection protocol messages to open SSH ports. The flaw has been exploited to create TCP connections and bind them to a shell, allowing interactive command execution over the network. The flaw could have severe consequences on an organization, their network, and operations, including the compromise of sensitive information and disruption of operations.

Open in new tab