UNC5174 VMware CVE-2025-41244 exploitation campaign
Campaign
Summary
Hide ▲
Show ▼
The UNC5174 operation is actively exploiting CVE-2025-41244 to gain root code execution on VMware-managed virtual machines, increasing risk for organizations using VMware Aria Operations, VMware Tools, and open-vm-tools. The activity has persisted since October 2024 and uses malicious binaries in /tmp/httpd plus discovery-logic abuse to trigger privilege escalation.
Cases
Related Happenings
Linux kernel Copy Fail local privilege escalation (CVE-2026-31431)
Vulnerability
First: 30.04.2026 12:24
Last: 30.04.2026 12:24
Sources 1
About this happening:
Researchers disclosed **CVE-2026-31431**, a **Linux kernel** local privilege-escalation flaw called **Copy Fail** that can let an **unprivileged local user** gain **root**. The bu...
Linux kernel Copy Fail local privilege escalation (CVE-2026-31431)
VulnerabilityAbout this happening: Researchers disclosed **CVE-2026-31431**, a **Linux kernel** local privilege-escalation flaw called **Copy Fail** that can let an **unprivileged local user** gain **root**. The bu...
Latest development: 08.05.2026 08:12
Dirty Frag was described as an unpatched Linux kernel LPE that can give an unprivileged local user root on most Linux distributions by chaining xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write, while the related Copy Fail issue was reported to Linux kernel maintainers on April 30, 2026 and has come under active exploitation in the wild. CloudLinx said the flaw sits in the ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path reachable via the XFRM user netlink interface, and the researcher said Dirty Frag can be triggered regardless of whether the algif_aead module is available; a working PoC was also released.
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
Campaign
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
CampaignAbout this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
Vulnerability
First: 20.04.2026 16:01
Last: 20.04.2026 16:01
Sources 1
About this happening:
The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
VulnerabilityAbout this happening: The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
VMware ESXi arbitrary-write sandbox escape (CVE-2025-22225)
Vulnerability
First: 04.02.2026 19:38
Last: 04.02.2026 19:38
Sources 1
About this happening:
**CVE-2025-22225** is now confirmed in **ransomware campaigns**, making the **VMware ESXi** sandbox-escape flaw an active risk for exposed virtualization hosts. **Broadcom** patch...
VMware ESXi arbitrary-write sandbox escape (CVE-2025-22225)
VulnerabilityAbout this happening: **CVE-2025-22225** is now confirmed in **ransomware campaigns**, making the **VMware ESXi** sandbox-escape flaw an active risk for exposed virtualization hosts. **Broadcom** patch...
XWiki eval injection actively exploited remote code execution flaw (CVE-2025-24893)
Vulnerability
First: 29.10.2025 09:44
Last: 29.10.2025 09:44
Sources 1
About this happening:
The **XWiki** eval injection flaw **CVE-2025-24893** is being **actively exploited**, putting exposed servers at risk of **remote code execution** via **/bin/get/Main/SolrSearch**...
XWiki eval injection actively exploited remote code execution flaw (CVE-2025-24893)
VulnerabilityAbout this happening: The **XWiki** eval injection flaw **CVE-2025-24893** is being **actively exploited**, putting exposed servers at risk of **remote code execution** via **/bin/get/Main/SolrSearch**...
Timeline
-
01.10.2025 12:25 2 articles · 7mo ago
NVISO Labs discloses UNC5174's CVE-2025-41244 VMware exploitation
Initial DisclosureNVISO Labs disclosed that UNC5174, a Chinese state-sponsored threat actor, has been exploiting CVE-2025-41244 against VMware-managed virtual machines since October 2024, using malicious binaries staged in /tmp/httpd and discovery-logic abuse to trigger root code execution on systems with VMware Tools or open-vm-tools and Aria Operations discovery enabled; Broadcom said fixes were available for VMware Cloud Foundation, vSphere Foundation, Aria Operations, Telco Cloud Platform, and VMware Tools, and Linux vendors would distribute open-vm-tools updates, while organizations were advised to hunt for uncommon child processes and lingering metrics collector scripts or outputs in legacy credential-based mode.
Show sources
- Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability — www.securityweek.com — 01.10.2025 12:25
- Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability — www.securityweek.com — 01.10.2025 12:25