Broadcom patches VMware zero-day exploited for nearly a year

Broadcom has issued security patches addressing a high-severity vulnerability in VMware software that allowed attackers to gain root privileges on virtual machines, with evidence showing the flaw was exploited as a zero-day for nearly a year.

The vulnerability, tracked as CVE-2025-41244 with a Common Vulnerability Scoring System (CVSS) rating of 7.8, impacts VMware Aria Operations and VMware Tools, including the open-vm-tools package distributed for Linux virtual environments. The flaw enables local attackers to escalate privileges to the highest level on targeted virtual machines under certain configurations.

Patching and scope

Security researchers at NVISO Labs uncovered that the bug had been actively targeted by an advanced persistent threat group, identified as UNC5174, believed to be affiliated with Chinese state interests. Attackers were observed placing malicious binaries in writable directories such as /tmp/httpd. As part of their exploitation routines, this allows for further compromise of affected systems.

Broadcom has now released updates for VMware Cloud Foundation, vSphere, Aria Operations, Telco Cloud Platform, VMware Tools, and open-vm-tools. For organisations running Linux virtual machines, updated open-vm-tools packages will be provided and distributed by the respective Linux vendors.

Despite these patches, security professionals have raised concerns that the vulnerability was exploited for a significant period before disclosure. The exploits commonly involved creating or mimicking system binaries in temporary directories and running unauthorised scripts, techniques that require thorough post-remediation detection efforts.

Detection and response guidance

To detect ongoing or past exploitation, security teams are advised to monitor for the presence of unusual system binaries, especially in paths such as /tmp/httpd, or unexpected child processes and artefacts created by discovery collector scripts used by the attackers.

Adrian Culley, Senior Sales Engineer at SafeBreach, said,

"Broadcom has released fixes for CVE-2025-41244 and related issues affecting VMware Aria Operations and VMware Tools. In certain configurations, VMs with VMware Tools managed by Aria Operations with SDMP enabled local privilege escalation to root. NVISO reports the bug was exploited in the wild since mid-October 2024 by a China-nexus actor assessed as UNC5174."

"Teams should patch Aria Operations/Tools immediately and ensure Linux hosts receive updated open-vm-tools from their distributors. Hunt for exploitation by looking for mimicked system binaries (e.g., httpd) in writable paths like /tmp/httpd and for unusual child processes from discovery collectors. After patching, continuously validate that privilege-escalation, credential harvesting, and lateral-movement paths are closed-don't just assume they are."

Industry perspectives

The duration of the zero-day's exploitation has raised broader industry concerns over disclosure practices and transparency.

Gunter Ollmann, Chief Technology Officer at Cobalt, commented on the need for greater openness from vendors about the real-world exploitation of such flaws.

"Zero-days that persist in widely used infrastructure for nearly a year highlight the growing mismatch between vendor disclosures and adversary realities. In this case, the triviality of the exploit means it likely fell into the hands of multiple threat actors, not just those with nation-state capabilities. When exploitation is both simple and widespread, leaving customers unaware is an unforced error that adds unnecessary risk. The industry needs more candour around zero-day exploitation so defenders can calibrate their urgency. In the long run, trust in security advisories will matter as much as the patches themselves."

Beyond the immediate technical response, concerns have also been raised regarding compliance and risk management implications.

Dale Hoak, Chief Information Security Officer at RegScale, emphasised the importance of transparency in supporting effective compliance programmes.

"An unpatched or undisclosed zero-day undermines the very foundation of compliance programmes, which rely on accurate risk data. If customers don't know an exploit is active, they can't prioritise remediation, leaving regulators and auditors working from a false baseline of assurance. This is why it's critical to operationalise risk in the larger context of patching-moving beyond a checklist exercise to a process that connects advisories, vulnerability data, and remediation actions in real time."

"Continuous controls monitoring enables that connection, ensuring that controls are validated against live threats, not just documented in static reports. Real assurance comes when organisations can align compliance, risk, and patching as a single operational discipline."

Ongoing risk mitigation

Security researchers are urging organisations to deploy patches as soon as possible and apply enhanced monitoring for unusual activity within their virtual machine environments. Following the update, it is recommended to validate security controls to confirm that any potential exploitation pathways have been closed.

Broadcom has not commented on why active exploitation was not included in its initial advisory, despite evidence of ongoing attacks, a detail noted by researchers and outside commentators alike.

Mitigation efforts should include not only installing patches but also taking steps to detect any signs of past or current compromise and ensuring continuous validation of all privilege escalation, credential collection, and lateral-movement risks within the infrastructure.