Chinese State Actors Slamming VMware and SharePoint With Three Different Zero-Days
Intelligence sources point to active exploitation involving three separate critical vulnerabilities: VMware's CVE-2025-41244, Microsoft SharePoint's CVE-2025-53770, and two Microsoft flaws (CVE-2024-43451 and CVE-2024-49039). The Chinese state-sponsored threat actor UNC5174 is tied to the VMware breach, and reports suggest Chinese actors are targeting SharePoint to steal private keys and plant malware.
The discussion is fragmented across three distinct security topics. 'randomname' detailed the VMware flaw allows unprivileged local attackers to gain root access, while simultaneously linking the exploit to UNC5174. Another user pointed out that Microsoft patched two active zero-days in November 2024. The most aggressive claims, however, centered on 'drmoose' reporting evidence of Chinese hacking exploiting the SharePoint vulnerability (CVE-2025-53770) for remote malware planting.
The community lacks a unified focus. People are tracking three unrelated, high-severity vulnerabilities impacting three different vendors. The fault lines exist between the threat actors targeting specific platforms (China vs. general vulnerability disclosure) and the sheer volume of disparate, unconfirmed zero-day intelligence hitting the feed.
Key Points
#1VMware vulnerability (CVE-2025-41244) allows local privilege escalation.
'randomname' stated the flaw lets unprivileged local attackers achieve root code execution, and the exploit was seen in the wild starting mid-October 2024.
#2Chinese actors are exploiting a major Microsoft SharePoint flaw.
'drmoose' cited Google and Microsoft evidence that Chinese hackers are using CVE-2025-53770 to steal private keys and deploy malware.
#3The NVISO researcher provided specific exploit conditions for the VMware hole.
Maxime Thiebaut noted the malicious binary needs to run under an unprivileged user and must open a listening socket.
#4Microsoft patched multiple active zero-days in November 2024.
'lemmydev2' confirmed the patches for CVE-2024-43451 and CVE-2024-49039.
#5The threat actor linking the VMware flaw is identified.
'randomname' asserted the exploitation of the VMware vulnerability was linked directly to the UNC5174 Chinese state-sponsored threat actor.
Source Discussions (4)
This report was synthesized from the following Lemmy discussions, ranked by community score.