Overview
- Broadcom released fixes for CVE-2025-41244 across VMware Aria Operations, VMware Tools, Cloud Foundation, vSphere Foundation and Telco Cloud Platform, with open-vm-tools updates to be delivered by Linux vendors.
- NVISO reports China-linked UNC5174 has exploited the bug since mid-October 2024 by staging malicious binaries at /tmp/httpd to obtain root via a regex logic flaw in get_version().
- According to Broadcom’s advisory, a local non-admin on a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled can escalate privileges to root on the same VM.
- NVISO published a proof-of-concept and recommends hunting for uncommon child processes or lingering metrics-collector artifacts to spot past abuse.
- Reporting notes Broadcom’s bulletin did not mention observed in-the-wild exploitation, as the company also shipped separate patches for NSX and vCenter, including NSA-reported username enumeration flaws.