Select your country

Not finding what you are looking for, select your country from our regional selector:

Search

Broadcom fixes actively exploited 0-day vulnerability in VMware Tools and VMware Aria Operations

CVE-2025-41244 is a local privilege escalation vulnerability in VMware Tools and VMware Aria Operations that enable attackers to execute code with potentially root privileges. NVISO, who responsibly reported the vulnerability, claims that Chinese initial access broker tracked as UNC5174 has been exploiting the vulnerability since October 2024. Proof-of-concept exploit code that demonstrates vulnerability was made public now that there is an official fix for this vulnerability. 

Unfortunately, the vulnerability in Broadcom’s VMware Tools and VMware Aria Operations is also present in an open-source component named open-vm-tools which is an open-source variant of VMware-tools. Fortunately, the fix for CVE-2025-41244 was included in version 13.0.5 of the open-vm-tools package and should make its way into major Linux distributions’ security release pipeline. 

The NVISO blog post claims that attacker, UNC5174, has been exploiting this vulnerability since October 2024. To detect potential malicious activity linked to this vulnerability, NVISO recommends monitoring for unusual child processes that are spawned by either the vmtoolsd process or the get_versions.sh script.  

If you detect any unusual processes trees associated with vmtoolsd or get_versions.sh then further investigation is required as this may potentially be indicative of a wider compromise as this is a local privilege escalation vulnerability. Any other detections present should have detected anomalous activity. Consider activating your incident response plan or reach out to incident response professionals to assist with next steps. 

Fixes are available and it is recommended that these be applied as soon as possible now that proof-of-concept exploit code is available. Broadcom also released fixes for 5 other vulnerabilities, including CVE-2025-41251 and CVE-2025-41252, which were disclosed by the U.S. National Security Agency (NSA).  

Subscribers to Orange Cyberdefense World Watch can find more information on this vulnerability here

Orange Cyberdefense World Watch advisory on UNC5174 is available here.

Orange Cyberdefense Managed Vulnerability Intelligence [watch] clients can enjoy analysis of this vulnerability here.

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.