Newly disclosed VMWare vulnerability exploited for nearly a year
A newly disclosed vulnerability in VMware products appears to have been actively exploited in the wild for almost a year. Broadcom (the owner of VMware) publicly revealed three security flaws—CVE-2025-41244, CVE-2025-41245, and CVE-2025-41246—on 29 September, along with patches to remediate them. Of these, CVE-2025-41244 has drawn the most attention, as a penetration testing firm (NVISO) asserts it was exploited as a zero-day from around October 2024.
CVE-2025-41244 is a privilege escalation flaw affecting VMware Tools and VMware Aria Operations. The vulnerability resides in a service‐discovery component: during discovery of binaries, non-system or malicious binaries can be elevated in privilege. According to NVISO, the exploitable path is trivial, meaning that even non-sophisticated attackers or existing malware may have leveraged it inadvertently over time.
In its investigation, NVISO traced exploitation activity back to a Chinese state-sponsored threat actor known as UNC5174, who reportedly used the privilege escalation in attacks. The firm detected the vulnerability in mid-May, during an incident response engagement related to UNC5174, and thereafter informed Broadcom under responsible disclosure. Forensic analysis indicated earlier traces of exploitation dating to October 2024, constituting a dwell time of several months before detection.
Interestingly, the NVISO blog suggests that because the flaw is simple and detectable from open-source code, it is plausible that other malware strains have been exploiting the same mechanism unknowingly over a longer period.
Broadcom’s advisory rates the issue with a high CVSS score of 7.8, and states that the only remediation is to apply the published patches; no other mitigations or workarounds are offered.
In summary, the VMware vulnerability CVE-2025-41244 illustrates how even seemingly modest privilege escalation flaws can be leveraged over long periods, especially by sophisticated adversaries. The case underscores the importance of proactive threat hunting and prompt patching, as well as the risk that existing malware may already have utilised the flaw unintentionally.
References:
- China Exploited New VMware Bug for Nearly a Year
- You name it, VMware elevates it (CVE-2025-41244)
- Support Content Notification – Support Portal – Broadcom support portal
Red Hat security compromised via breach of GitLab instance
Red Hat has confirmed that it recently experienced a security incident following a breach of one of its GitLab instances. The intrusion was initially claimed by a group calling itself the Crimson Collective, which asserted that it had exfiltrated nearly 570 GB of compressed data drawn from approximately 28,000 internal development repositories. Among the allegedly stolen materials are some 800 Customer Engagement Reports (CERs), which tend to contain sensitive technical information regarding customer networks and system configurations.
Red Hat have clarified that the breach was confined to their internal consulting GitLab instance, stating that their public GitHub and wider software supply chain have remained unaffected by the breach. Red Hat have stated that while they have already initiated steps towards remediating the breach, they could not immediately verify every claim made by the attackers.
In response to this incident, Red Hat have already isolated the compromised GitLab instance, revoked all illicit access to said instance and launched an internal investigation. They have also confirmed that additional hardening measures have been implemented to prevent any subsequent intrusions in the future.
GitLab – separately – stated that its platform (as offered commercially) was not compromised. The incident was limited to Red Hat’s self-managed instance of GitLab Community Edition, which is distinct from public cloud or official GitLab services.
Red Hat further stated that typical CERs do not contain personally identifiable information (PII), and that none have been discovered so far in the investigation. Red Hat is now contacting customers who may have been affected to provide them with further details on potential exposure.
The hacker group claims to have tried to initiate extortion attempts, submitting demands to Red Hat, but they say their messages were met only by generic replies directing them to file vulnerability reports. The attackers have also shared a directory listing of the stolen content and published a list of CERs spanning 2020 to 2025 on Telegram, citing organisations across diverse sectors including major banks, telecommunications, government bodies, and healthcare.ore will come knocking – it’s whether their presence will be spotted before the implants make themselves at home.
References:
- Red Hat confirms security incident after hackers breach GitLab instance
- Security update: Incident related to Red Hat Consulting GitLab instance – Red Hat Customer Portal
New MatrixPDF toolkit
A new toolkit known as MatrixPDF has emerged, enabling attackers to transform otherwise innocuous PDF documents into sophisticated phishing or malware lures. Researchers at Varonis discovered the tool being advertised on cybercrime forums, with its developer also engaging via Telegram. Although marketed as a phishing simulation or red-teaming product, its deployment in malicious campaigns suggests its primary use is malicious.
The toolkit allows attackers to upload a genuine PDF and layer it with malicious features: blurred content, fake security prompts, clickable overlays, and embedded JavaScript actions. These additions enable the document to appear legitimate while directing a victim to a remote payload or phishing site when they interact with it. The malicious behaviour is effectively concealed, since the PDF itself does not carry an executable binary; instead, it defers malicious actions to external links triggered on interaction.
In testing, Varonis demonstrated that such PDF documents can bypass Gmail’s phishing filters. Because the PDFs contain no embedded binaries and only external links, their structure is benign in the eyes of standard scanning engines. Gmail does not run PDF JavaScript in its viewer, but clickable elements that lead to external sites are permitted—thus, when a user clicks, the malicious site is loaded via browser, and the action is seen as user-initiated. Some versions may attempt to trigger such redirections immediately upon opening, though modern PDF viewers often warn users when a document tries to connect to remote sources.
The developer markets MatrixPDF with features aimed at professional security use: drag-and-drop PDF import, real-time previewing, metadata encryption, content blurring, and mechanisms for “secure redirect” and bypassing Gmail’s protections.
Given the ubiquity of PDF documents in business and communication, Varonis warns that PDFs remain attractive vectors for phishing, and therefore appropriate mitigations should be implemented to counter threats such as MatrixPDF, including enhancing user awareness, restricting automatic redirects to external URLs and continuously reviewing email filtering rules to ensure only trusted or verified mail is reaching recipients.
References:
- New MatrixPDF toolkit turns PDFs into phishing and malware lures
- MatrixPDF Puts Gmail Users at Risk with Malicious PDF Attachments
- MatrixPDF Toolkit Transforms PDFs into Advanced Phishing and Malware Lures – Red-Team News
Get Norm’s threat bulletin direct to your inbox
Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
