Broadcom patches VMware flaw used by China-based threat actor

On September 29, 2025, Broadcom released advisory VMSA-2025-0015 addressing three vulnerabilities in VMware, including one exploited in the wild. The latest updates were issued for the following impacted products:

• VMware Aria Operations
• VMware Tools
• VMware Cloud Foundation
• VMware Telco Cloud Platform
• VMware Telco Cloud Infrastructure

The advisory for the vulnerabilities, tracked as CVE-2025-41244, CVE-2025-41245, and CVE-2025-41246, is marked with high severity, with the Common Vulnerability Scoring System (CVSS) Base Score ranging from 4.9 to 7.8 out of 10.

Researchers reported that CVE-2025-41244 was exploited in the wild by the China-linked threat group UNC5174 since at least October 2024. It is a high-severity local privilege escalation vulnerability that could allow a malicious local actor with non-administrative privileges to exploit this vulnerability to escalate privileges to root. The exploitation would require having access to a virtual machine with VMware Tools installed and managed by Aria Operations with Service Discovery Management Pack (SDMP) enabled.

Researchers reported the flaw on May 19, 2025, and published technical details on September 29, 2025, demonstrating how the vulnerability could be abused by staging a malicious binary in paths matched by regular expressions used in the vulnerable `get_version()` function. UNC5174 reportedly used `/tmp/httpd` as a staging location for exploitation.

The vulnerability affects all versions from 11.x.x through 13.x.x of VMware Tools and all 8.x versions of VMware Aria Operations., as well as VMware Cloud Foundation and VMware vSphere Foundation across multiple versions.

VMware Tools is a suite of utilities that enhances VM performance and management, and Aria Operations provides observability and analytics for cloud and virtual infrastructure. Both Windows and Linux platforms are impacted. Broadcom released patched versions of VMware Tools (12.4.9 for Windows 32-bit, included in 12.5.4) and confirmed that updated open-vm-tools will be distributed by Linux vendors.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

Mitigation requires applying the vendor-provided patches, as no workarounds are currently available. Organizations using VMware Aria Operations and VMware Tools should confirm whether SDMP is enabled and ensure all virtual machines are updated to the latest patched versions. Enforcing strict privilege boundaries within and between VMs is critical to limiting the impact of vulnerabilities like CVE-2025-41244.

Although the exploited vulnerability requires local access, it can be chained with other exploits or used post-compromise to escalate privileges to root, enabling lateral movement and persistence. The availability of public technical details and confirmation of active exploitation by a state-sponsored threat actor elevates this to a priority patch. Organizations should review telemetry for indicators of compromise, including binaries staged in /tmp/httpd or similar paths.

VMware Tools are widely deployed across Windows and Linux virtual machines in production environments, and VMware Aria Operations is commonly used to manage and monitor infrastructure at scale. This broad deployment increases the potential threat surface.

The risk is significantly higher when privilege boundaries are not strictly enforced; for example, when users or processes within a VM are permitted to access host-level resources or escalate privileges. In such cases, a local attacker could gain root access, bypass tenant isolation, and potentially compromise other VMs. This is especially concerning in multi-tenant environments managed by MSPs, where a single compromised VM could result in cross-tenant exposure.