Broadcom has warned about severe zero-day vulnerabilities affecting VMware software, which is widely used to power virtual machines. China-linked hackers may have been exploiting the flaws for months or even years to silently elevate privileges to administrator-level.
The tech giant has rolled out patches for VMware Aria Operations, VMware Tools, and related products, addressing three severe flaws that enable attackers to escalate privileges or expose sensitive information.
Administrators rely on this software to monitor and manage their virtual environments.
“A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM,” Broadcom said in the advisory.
Broadcom has rated the flaws' severity in the “important severity range,” with a maximum base score of 7.8 out of 10.
Cybersecurity researchers who discovered and reported the flaws to the company have also discovered signs that threat actors might have been capitalizing on them for months or even years.
NVISO, a cybersecurity firm, said it identified the vulnerabilities through its incident response engagements involving a China-linked state-sponsored hacker group labeled UNC5174.
“NVISO has identified zero-day exploitation in the wild beginning mid-October 2024,” the report reads.
“NVISO determined with confidence that UNC5174 triggered the local privilege escalation.”
However, due to the triviality of the flaws, the researchers cannot assess whether this exploit was part of the hackers’ capabilities – the zero-day’s usage might also have been “merely accidental.”
The threat actor often mimics VMware system binaries, and several malware strains might have “accidentally been benefiting from unintended privilege escalations for years,” Maxime Thiebaut, an incident response and threat researcher expert within NVISO CSIRT, explains.
Curious what others think about this story? Contribute your thoughts to the debate below.
In any case, the proof of concept code is already publicly available, and the researchers showed a working example of how an attacker can gain total control over the VM.
Broadcom urges the application of the patches, as there are no other workarounds.
How would a potential attack work?
For hackers to exploit the flaws, they need to gain some level of initial access as an unprivileged user. VMware virtual machine administrators often rely on Aria Suite and Tools components for performance insights, automated remediation, capacity planning, and additional functionality.
These tools use a service discovery feature to scan the VM regularly (every 5 minutes), identify running programs, and their versions.
The researchers found that unprivileged attackers can create a malicious program, place it in a public location of the VM, such as the /tmp folder, and run it.
The next time the scanner runs, it will pick up this fake program and run it with administrative privileges to check its version. However, instead of the version information, the malicious program now has root access and can do anything: install backdoors, steal data, and, ultimately, take control of the system.
VMware inherently trusts that anything that matches its patterns is legitimate software, including unprivileged user-controlled paths. Thus, the attacker only needs to name the malicious binary after a legitimate service that is recognized by VMware.
“As simple as it sounds, you name it, VMware elevates it,” Thiebaut said.
For example, China-linked hackers often store binaries disguised as /tmp/httpd (HTTP daemon, a program name for a web server). The VMware service discovery then picks these up and runs with elevated privileges, even if unintentionally.
The researcher warns that threat actors likely already knew about this vulnerability. In May 2025, NVISO discovered forensic artifacts and responsibly disclosed the issue to Broadcom.
A less severe information disclosure vulnerability enables a malicious actor with non-administrative privileges in VMware Aria Operations to obtain the credentials of other users.
The third bug affects VMware Tools for Windows, which allows low-privilege attackers to break into other guest VMs once they've gained initial access through vCenter (VMware's management software) or ESXi (the software that hosts virtual machines).
Successful exploitation requires knowledge of the credentials of the targeted VMs and vCenter or ESXi.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked