Broadcom Held Silent on Exploited VMware Zero-Day

Broadcom has issued patches for a VMware vulnerability—CVE-2025-41244—that was already under exploitation by a China-linked hacking group, but failed to disclose that fact in its public advisory.

The flaw allows a non-administrative user in a virtual machine to escalate privileges to root, provided VMware Tools is installed and Aria Operations is managing the VM with the Service Discovery Management Pack enabled. Broadcom’s advisory, published on 29 September, warns of the elevation risk but omits mention of confirmed exploitation in the wild. NVISO Labs, the security firm credited with detecting the issue, asserts that the vulnerability has been abused since October 2024.

NVISO and cybersecurity analysts attribute the in-the-wild exploitation to UNC5174, a threat actor with suspected ties to the Chinese state. The group reportedly used the vulnerability by placing malicious binaries—commonly under /tmp/httpd—into systems so that VMware’s discovery routines would invoke them with higher privileges. Because open-source variants of VMware Tools, like open-vm-tools, also mirror the vulnerable logic, Linux deployments are likewise exposed.

In its patch announcement, Broadcom describes the flaw as a local privilege escalation affecting both VMware Aria Operations and VMware Tools. However, its public communication does not acknowledge any observed exploitation. The advisory places the severity at a base score of 7.8, and recommends patching VMware Cloud Foundation, vSphere Foundation, VMware Tools, and related platforms. The company notes that fixes for open-vm-tools will be disseminated by Linux distribution maintainers.

Beyond CVE-2025-41244, Broadcom also addressed other significant vulnerabilities: CVE-2025-41245, which permits disclosure of credentials in Aria Operations; CVE-2025-41246, enabling improper authorization in VMware Tools; plus high-severity flaws in vCenter and NSX involving SMTP header injection and username enumeration. Collectively, the patches span Aria Operations version 8.18.5, vSphere/Cloud Foundation 9.0.1.0 and 13.0.5.0, and various NSX releases.

Cybersecurity communities have sharply criticised Broadcom’s decision not to highlight that one of its patched flaws had been exploited. Analysts point out that typical advisories often signal proof of exploitation—both to warn users and to prioritise patching efforts. NVISO’s public blog emphasises that although the exploit is simple to trigger, the lack of transparency raises accountability concerns.

To detect past exploitation, security teams are urged to examine for abnormal child processes and track any execution of binaries under ephemeral directories used by VMware for service discovery. In environments operating in legacy credential-based mode, forensic analysis of lingering scripts and temporary folders associated with VMware’s metrics collector may reveal intrusions.