National CERT Warns of Active Exploits Targeting VMware Products

Pakistan’s National Computer Emergency Response Team (National CERT) has issued a critical cybersecurity advisory after confirming that state-backed hackers are actively exploiting multiple high-severity flaws in VMware products.

The vulnerabilities, tracked as CVE-2025-41244 and CVE-2025-41246, affect popular VMware tools, including Aria Operations, Cloud Foundation, NSX, and VMware Tools. These bugs carry CVSS scores of 7.8 and 7.6, allowing attackers to gain elevated privileges, bypass authorization, steal sensitive data, or even execute remote code across enterprise, cloud, and telecom environments.

National CERT confirmed that exploitation “has been observed in the wild,” with advanced persistent threat (APT) groups already leveraging these flaws for targeted attacks. The agency warned that unpatched VMware systems are at an extreme risk, especially in organizations that run critical infrastructure.

Key Risks and Affected Versions

Successful exploitation could give hackers complete control over virtualized systems, potentially exposing confidential enterprise or telco data. Affected products include:

• VMware Aria Operations (below 8.18.4)
• VMware Tools (Windows/Linux below 13.0.4)
• VMware Cloud Foundation and NSX (multiple builds)
• open-vm-tools (varies by Linux vendor)

Alongside, attackers can launch these exploits both locally and remotely, often with minimal privileges, and in some cases, no user interaction is required.

Mitigation and Patching Steps by National CERT

To counter the threat, National CERT has directed all organizations to apply Broadcom’s latest patches immediately. Relevant advisories include:

• Broadcom Advisory 36149
• Broadcom Advisory 36150
• Broadcom Advisory 35964

Until updates are applied, CERT recommends:

• Restricting access to VMware consoles and management interfaces.
• Limiting local user privileges.
• Monitoring for abnormal login attempts or privilege escalations.
• Hardening configurations in NSX and vSphere.
• Using network segmentation to isolate critical assets.

Continuous Monitoring and Response

Organizations are urged to:

• Integrate VMware exploit detection into incident response plans to enhance security.
• Monitor SIEM and IDS/IPS systems for suspicious activity.
• Verify the integrity of backups and ensure fast recovery options.

Conclusion

The National CERT concluded its advisory with a clear message. The agency warned,

“Patch now or risk a large-scale compromise. Immediate patching and proactive monitoring remain the only defenses against these ongoing exploit campaigns.”