CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

UNC5174 Exploits VMware Zero-Day Privilege Escalation Since October 2024

First reported
Last updated
4 unique sources, 6 articles

Summary

Hide ▲

A China-linked threat actor, UNC5174, has been exploiting a zero-day privilege escalation vulnerability in VMware products since mid-October 2024. The flaw, CVE-2025-41244, affects multiple VMware products and allows local attackers to escalate privileges to root on affected virtual machines. The vulnerability was discovered in May 2025 and patched in VMware Tools 12.4.9 and later versions. The flaw is rooted in the get_version() function, which can be exploited by placing a malicious binary in a writable directory. UNC5174 has been observed using this method to gain elevated access and execute code on compromised systems. The exact payload and nature of the attacks remain unclear. Broadcom has confirmed the patch for the vulnerability in VMware Aria Operations and VMware Tools. NVISO released a proof-of-concept exploit demonstrating privilege escalation on vulnerable VMware software. UNC5174 has been linked to previous attacks on U.S. defense contractors, UK government entities, Asian institutions, and the cybersecurity firm SentinelOne, exploiting vulnerabilities such as F5 BIG-IP CVE-2023-46747 and ConnectWise ScreenConnect flaw. The exploitation of CVE-2025-41244 is considered trivial, potentially benefiting multiple malware strains. NVISO identified the vulnerability in mid-May 2025 during an incident response engagement with UNC5174. Broadcom disclosed three vulnerabilities on September 29, 2025, including CVE-2025-41244. The CVSS severity rating for CVE-2025-41244 is 7.8, classified as high. On October 31, 2025, CISA added CVE-2025-41244 to its Known Exploited Vulnerabilities catalog. FCEB agencies have until November 20, 2025, to patch their systems. CISA urged all organizations to prioritize patching this vulnerability.

Timeline

  1. 30.09.2025 13:57 6 articles · 1mo ago

    UNC5174 Exploits VMware Zero-Day Privilege Escalation Since October 2024

    CISA added CVE-2025-41244 to its Known Exploited Vulnerabilities catalog on October 31, 2025. The flaw allows a malicious local actor with non-administrative privileges to escalate to root on the same VM. The flaw is defined with unsafe actions in Broadcom VMware Aria Operations and VMware Tools. The flaw was addressed by Broadcom-owned VMware last month. The flaw was exploited as a zero-day by unknown threat actors since mid-October 2024. NVISO Labs discovered the vulnerability earlier this May during an incident response engagement. The flaw is trivial to exploit, according to NVISO Labs. The exact payload executed following the weaponization of CVE-2025-41244 has been withheld. Exploitation of the local privilege escalation results in unprivileged users achieving code execution in privileged contexts (e.g., root). FCEB agencies are required to apply the necessary mitigations by November 20, 2025, to secure their networks against active threats.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active Exploitation of Critical Motex Lanscope Endpoint Manager Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Motex Lanscope Endpoint Manager to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, CVE-2025-61932, allows attackers to execute arbitrary code on affected systems. It impacts on-premises versions of Lanscope Endpoint Manager, specifically the Client program and Detection Agent. The flaw has been actively exploited in the wild by the cyber espionage group Tick, which has been using it to deliver a backdoor called Gokcpdoor. Federal agencies are advised to apply patches by November 12, 2025. The vulnerability impacts versions 9.4.7.2 and earlier. It has been addressed in versions 9.3.2.7, 9.3.3.9, 9.4.0.5, 9.4.1.5, 9.4.2.6, 9.4.3.8, 9.4.4.6, 9.4.5.4, 9.4.6.3, and 9.4.7.3. The exact exploitation methods and threat actors were previously unknown, but an alert from the Japan Vulnerability Notes (JVN) portal and Japan's CERT Coordination Center indicated that an unnamed customer and domestic organizations received malicious packets targeting this vulnerability. The vulnerability has a CVSS v4 score of 9.8 and affects Lanscope Endpoint Manager, a unified endpoint management and security platform popular in Japan. Lanscope is deployed by one in every four listed companies and one in every three financial institutions in Japan. The flaw includes missing security checks, lack of barriers to prevent arbitrary code execution, and missing privilege checks. Motex has released a fix for the vulnerability, and it does not affect the cloud version of Lanscope. Around 50 to 160 on-premises Lanscope servers were exposed on the Internet at the time of the Sophos publication. The Bronze Butler group exploited the vulnerability far in advance of its public disclosure. The group used the Havoc command-and-control (C2) tool and a loader called OAED to inject payloads. The group used open-source and cloud applications for lateral movement and data exfiltration, including 7-Zip, remote desktop, and file.io. The group used LimeWire, a peer-to-peer (P2P) file-sharing platform, possibly for exfiltration. Japanese organizations face cyber threats shaped by regional geopolitics and industry profiles, with state-sponsored actors from China and North Korea targeting them for espionage and intellectual-property theft.

Open in new tab

Active Exploitation of Critical Adobe AEM Forms Misconfiguration

A critical misconfiguration flaw in Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier is under active exploitation. The flaw, CVE-2025-54253, allows arbitrary code execution via an exposed servlet. Adobe released a patch in August 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must apply the necessary fixes by November 5, 2025. The flaw was discovered by Adam Kues and Shubham Shah of Searchlight Cyber, who disclosed it to Adobe on April 28, 2025. The flaw is caused by an exposed /adminui/debug servlet that evaluates user-supplied OGNL expressions as Java code without authentication or input validation. This enables attackers to execute arbitrary system commands with a single crafted HTTP request. A proof-of-concept exploit is publicly available.

Open in new tab

Unauthenticated access vulnerability in Oracle E-Business Suite Configurator

A critical vulnerability in Oracle E-Business Suite (EBS) allows unauthenticated attackers to access sensitive data via HTTP. The flaw, CVE-2025-61884, affects versions 12.2.3 through 12.2.14 and has a CVSS score of 7.5. CISA has confirmed that the vulnerability is being exploited in attacks and has added it to its Known Exploited Vulnerabilities catalog. Oracle has issued an emergency security update and patch, but exploitation in the wild has been reported. The vulnerability is in the Runtime UI component and could lead to unauthorized access to critical data. Oracle has silently fixed the vulnerability after it was actively exploited and a proof-of-concept exploit was leaked by the ShinyHunters extortion group. This development follows recent disclosures of zero-day exploitation in EBS software, attributed to a group with ties to the Clop ransomware group. The Clop group has been involved in major data theft campaigns targeting zero-days in Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer.

Open in new tab

Meteobridge Command Injection Vulnerability Exploited in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a high-severity command injection vulnerability (CVE-2025-4008) in Smartbedded Meteobridge as actively exploited in the wild. The flaw, with a CVSS score of 8.7, allows remote unauthenticated attackers to execute arbitrary code with elevated privileges on affected devices. The vulnerability resides in the Meteobridge web interface, specifically in the template.cgi script, which is vulnerable due to insecure use of eval calls. The flaw was discovered and reported by ONEKEY in February 2025 and was addressed in Meteobridge version 6.2, released on May 13, 2025. The vulnerability can be exploited through specially crafted requests and malicious webpages, posing a significant risk to users. Federal Civilian Executive Branch (FCEB) agencies are required to apply necessary updates by October 23, 2025, to mitigate the risk.

Open in new tab

Clop extortion campaign targets Oracle E-Business Suite

The Clop ransomware gang has been exploiting multiple vulnerabilities in Oracle E-Business Suite since at least August 2025, including the zero-day vulnerability CVE-2025-61882. The gang has been sending extortion emails to executives at multiple organizations, claiming to have stolen sensitive data. The campaign involves a high-volume email blast from hundreds of compromised accounts, some previously linked to the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. CrowdStrike attributes the exploitation of CVE-2025-61882 to the Cl0p ransomware gang with moderate confidence, and the first known exploitation occurred on August 9, 2025. The exploit involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. Oracle has released an emergency patch for the zero-day vulnerability and shared indicators of compromise. The exploit was leaked by a group called Scattered Lapsus$ Hunters, raising questions about their potential collaboration with Clop. Envoy Air, a subsidiary of American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site. Envoy Air stated that no sensitive or customer data was affected, but a limited amount of business information and commercial contact details may have been compromised. The Clop gang is also extorting Harvard University, with the university confirming that the incident impacts a limited number of parties associated with a small administrative unit. Oracle has confirmed that known vulnerabilities in its E-Business Suite, patched in July 2025, may have been exploited in these attacks. The July 2025 Critical Patch Update addressed 309 vulnerabilities across Oracle's product range, including nine for E-Business Suite. Three of these vulnerabilities are critical and three others are exploitable remotely without authentication. The extortion emails are part of a broader campaign, with the attackers sending messages from compromised accounts, some previously associated with the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. Mandiant and GTIG are investigating the claims and recommend that organizations receiving these emails investigate their environments for unusual access or compromise in their Oracle E-Business Suite platforms. The UK’s National Cyber Security Centre (NCSC) has advised Oracle EBS customers to patch the critical vulnerability CVE-2025-61882, which is being exploited by the Clop ransomware group. The NCSC has urged customers to apply an emergency security update from Oracle, published over the weekend, to address the zero-day vulnerability CVE-2025-61882. The vulnerability impacts Oracle EBS versions 12.2.3-12.2.14 and allows unauthenticated attackers to send specially crafted HTTP requests to the affected component, resulting in full system compromise. The NCSC has warned that the Scattered Lapsus$ Hunters group has leaked the exploit used by the Clop gang, increasing the risk of opportunistic attacks on Oracle customers. Rapid7 has advised customers of affected Oracle EBS instances to conduct threat hunting to detect any potential malicious activity, given that exploitation in-the-wild may have occurred since August 2025. CISA has added CVE-2025-61882 to the Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by October 27, 2025. WatchTowr Labs warns of potential mass, indiscriminate exploitation from multiple groups within days.

Open in new tab