Particle.news

Download on the App Store

Broadcom Patches VMware Privilege-Escalation Zero-Day Linked to China, Faces Disclosure Scrutiny

NVISO says a China-linked group abused the flaw for a year, raising questions over Broadcom’s omission of active exploitation in its advisory.

Overview

  • Broadcom released fixes for CVE-2025-41244 across VMware Aria Operations, VMware Tools, Cloud Foundation, vSphere Foundation and Telco Cloud Platform, with open-vm-tools updates to be delivered by Linux vendors.
  • NVISO reports China-linked UNC5174 has exploited the bug since mid-October 2024 by staging malicious binaries at /tmp/httpd to obtain root via a regex logic flaw in get_version().
  • According to Broadcom’s advisory, a local non-admin on a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled can escalate privileges to root on the same VM.
  • NVISO published a proof-of-concept and recommends hunting for uncommon child processes or lingering metrics-collector artifacts to spot past abuse.
  • Reporting notes Broadcom’s bulletin did not mention observed in-the-wild exploitation, as the company also shipped separate patches for NSX and vCenter, including NSA-reported username enumeration flaws.