Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability

Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability

Briefly

"Tracked as CVE-2025-41244 (CVSS score of 7.8), the security defect impacts both VMware Aria Operations and VMware Tools. VMware's parent company Broadcom rolled out patches this week, warning that the flaw allows attackers to escalate their privileges to root on VMs that have VMware Tools installed and are managed by Aria Operations with SDMP enabled, but made no mention of its in-the-wild exploitation."

"According to NVISO, which was credited for the find, a Chinese state-sponsored threat actor tracked as UNC5174 has been exploiting the bug for a year. UNC5174 was recently linked to an attack on cybersecurity firm SentinelOne. "We can however not assess whether this exploit was part of UNC5174's capabilities or whether the zero-day's usage was merely accidental due to its trivialness," NVISO notes."

"The vulnerability impacts VMware Aria Operations' service and application discovery feature, which includes both legacy credential-based service discovery (in which VMware Tools acts as a proxy for the operation) and credential-less service discovery (metrics collection implemented in VMware Tools). "As part of its discovery, NVISO was able to confirm the privilege escalation affects both modes, with the logic flaw hence being respectively located within VMware Aria Operations (in credential-based mode) and the VMware Tools (in credential-less mode)," NVISO explains."