30.09.2025
2 min
522
Broadcom warned of critical vulnerabilities in VMware that could allow hackers to escalate privileges to administrator. Researchers at NVISO found that Chinese-linked groups could have been silently exploiting these bugs as early as October 2024.
The vulnerabilities affected VMware Aria Operations, VMware Tools, and related products. The problem was in the Service Discovery mechanism, which automatically launches programs to check their version. Attackers could replace a legitimate service with a fake file in open directories, after which VMware would execute it with root privileges. This opened the way to complete control over the virtual machine: installing backdoors, stealing data, and network traffic.
Broadcom rated the bugs as “important” with a maximum rating of 7.8/10. Fixes are already available, but there are no workarounds — patching is the only way to protect.
NVISO links the exploit to the UNC5174 group, which operates under Chinese leadership. Signs of exploiting the bugs appeared in incident investigations as early as October 2024. Researchers indicate that some of the malware had been accidentally exploiting the privilege escalation for years, and hackers simply adapted the technique. The issue was first officially disclosed by Broadcom in May 2025.
VMware administrators should immediately update Aria Operations and VMware Tools, audit suspicious processes, and check logs for signs of exploitation. The incident shows that even basic monitoring functions in mission-critical software can turn into a tool for complete system takeover.
