The IT Nerd

Broadcom has patched a high-severity VMware vulnerability (CVE-2025-41244, CVSS 7.8) that had been exploited as a zero-day for nearly a year. The flaw, impacting VMware Aria Operations and VMware Tools (including open-vm-tools on Linux), allows privilege escalation to root on VMs. Security researchers at NVISO Labs reported that a Chinese state-sponsored threat group, UNC5174, has been actively exploiting the bug, including by staging malicious binaries in writable directories like /tmp/httpd.  Patches are now available across VMware Cloud Foundation, vSphere, Aria Operations, Telco Cloud Platform, VMware Tools, and open-vm-tools (to be distributed by Linux vendors). Detection requires monitoring for uncommon child processes or leftover collector scripts.

You can find more details here: https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/

Gunter Ollmann, CTO, Cobalt had this comment:

“Zero-days that persist in widely used infrastructure for nearly a year highlight the growing mismatch between vendor disclosures and adversary realities. In this case, the triviality of the exploit means it likely fell into the hands of multiple threat actors, not just those with nation-state capabilities. When exploitation is both simple and widespread, leaving customers unaware is an unforced error that adds unnecessary risk. The industry needs more candor around zero-day exploitation so defenders can calibrate their urgency. In the long run, trust in security advisories will matter as much as the patches themselves.”

Dale Hoak, CISO, RegScale adds this:

“An unpatched or undisclosed zero-day undermines the very foundation of compliance programs, which rely on accurate risk data. If customers don’t know an exploit is active, they can’t prioritize remediation, leaving regulators and auditors working from a false baseline of assurance. This is why it’s critical to operationalize risk in the larger context of patching—moving beyond a checklist exercise to a process that connects advisories, vulnerability data, and remediation actions in real time. Continuous controls monitoring enables that connection, ensuring that controls are validated against live threats, not just documented in static reports. Real assurance comes when organizations can align compliance, risk, and patching as a single operational discipline.”

While I am a big believer in patching all the things, you also have to have an approach to security that mitigates the potential effects of zero days. That’s not easy to do, but it has become a requirement given how quickly threat actors evolve and shift tactics.

I should also mention that the fact that this was out there for a year is bad. Extraordinarily bad. But you knew that already.

UPDATE: Adrian Culley, Senior Sales Engineer at SafeBreach adds this comment:

“Broadcom has released fixes for CVE-2025-41244 and related issues affecting VMware Aria Operations and VMware Tools. In certain configurations, VMs with VMware Tools managed by Aria Operations with SDMP enabled local privilege escalation to root. NVISO reports the bug was exploited in the wild since mid-October 2024 by a China-nexus actor assessed as UNC5174. Teams should patch Aria Operations/Tools immediately and ensure Linux hosts receive updated open-vm-tools from their distributors. Hunt for exploitation by looking for mimicked system binaries (e.g., httpd) in writable paths like /tmp/httpd and for unusual child processes from discovery collectors. After patching, continuously validate that privilege-escalation, credential harvesting, and lateral-movement paths are closed—don’t just assume they are.”