Apple has released a security update for macOS Sequoia 15.7.1 to address a serious vulnerability in its font parser. The flaw, tracked as CVE-2025-43400, allows a maliciously crafted font file to trigger an out-of-bounds write. Exploitation could cause unexpected application crashes or corrupt process memory on affected systems. Apple patched this issue on September 29, 2025, as […]
A zero-day local privilege escalation vulnerability in VMware Tools and VMware Aria Operations is being actively exploited in the wild. The flaw, tracked as CVE-2025-41244, allows an unprivileged local attacker to gain root-level code execution on affected systems.
On September 29, 2025, Broadcom disclosed the vulnerability, which exists within VMware’s guest service discovery features. However, security firm NVISO reported identifying zero-day exploitation of this flaw dating back to mid-October 2024 during incident response engagements.
The vulnerability impacts both VMware Tools and VMware Aria Operations, key components used for managing virtualized environments. Successful exploitation allows a user with low privileges to execute arbitrary code within a privileged context, such as the root user on Linux systems.
The flaw affects two distinct service discovery modes:
Credential-less service discovery: In this mode, the vulnerability lies within the VMware Tools component itself, which is widely deployed on guest virtual machines.
Legacy credential-based service discovery: Here, the flaw is located within VMware Aria Operations, the management platform for hybrid-cloud workloads.
NVISO researchers confirmed the flaw exists in the open-source variant of VMware Tools, open-vm-tools, which is distributed with most major Linux distributions.
0-Day Vulnerability Exploitation
The root cause of CVE-2025-41244 is an Untrusted Search Path weakness (CWE-426) in the get-versions.sh script, which is responsible for identifying the versions of services running on a virtual machine.
The script uses overly broad regular expressions to locate service binaries. For example, a pattern like /\S+/httpd is designed to find the Apache web server binary, but will also match a file named httpd located in a user-writable directory like /tmp.
An attacker can exploit this by placing a malicious executable at a path like /tmp/httpd. They then run this malicious process and have it open a listening socket. When the VMware service discovery process runs (typically every five minutes), it scans for running services.
The flawed script will find and execute the attacker’s malicious binary with the -v flag to get its version, but it does so with the elevated privileges of the VMware Tools service. This provides the attacker with a root shell, granting them full control over the system.
NVISO has attributed the in-the-wild exploitation to UNC5174, a threat actor believed to be sponsored by the Chinese state. This group has a history of leveraging public exploits for initial access operations.
However, researchers noted that due to the trivial nature of the exploit and the common threat actor practice of naming malware after system binaries (e.g., httpd), it is unclear if UNC5174 exploited the flaw intentionally or accidentally. It is possible that other malware has been unintentionally benefiting from this privilege escalation for years.
Organizations can detect exploitation by monitoring for unusual child processes spawned by vmtoolsd or the get-versions.sh script. In credential-based mode, forensic evidence may be found in lingering script files located in /tmp/VMware-SDMP-Scripts-{UUID}/ directories.
Broadcom has released patches and published a security advisory to address CVE-2025-41244, and users are urged to apply the updates immediately.
A new dark web marketplace listing has sparked alarm in the cybersecurity community after a seller using the handle “SebastianPereiro” purportedly advertised a remote code execution (RCE) exploit targeting Veeam Backup & Replication platforms. The alleged exploit, marketed as the “Bug of June 2025,” is claimed to affect certain versions of Veeam 12.x series, specifically […]
VMware has released an advisory to address three high-severity vulnerabilities in VMware Aria Operations, VMware Tools, VMware Cloud Foundation, VMware Telco Cloud Platform, and VMware Telco Cloud Infrastructure.
Disclosed on 29 September 2025, the advisory covers CVE-2025-41244, CVE-2025-41245, and CVE-2025-41246 with CVSSv3 base scores ranging from 4.9 to 7.8.
Administrators must apply the patched versions immediately to prevent local privilege escalation, information disclosure, and improper authorization exploits.
Local Privilege Escalation Flaw (CVE-2025-41244)
CVE-2025-41244 is a local privilege escalation vulnerability impacting VMware Aria Operations (all 8.x versions), VMware Tools (12.x, 13.x), and VMware Cloud Foundation Operations.
A malicious local actor with non-administrative privileges on a VM with VMware Tools installed and managed by Aria Operations (SDMP enabled) can exploit this flaw to escalate privileges to root.
Broadcom assigned a CVSSv3 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Resolution requires upgrading to:
Fixed versions include Aria Operations 8.18.5, VMware Tools 13.0.5.0 and 12.5.4, and Cloud Foundation Operations 9.0.1.0. No workarounds are available.
Information Disclosure and Improper Authorization Flaws
CVE-2025-41245 introduces an information disclosure vulnerability in VMware Aria Operations.
An attacker with non-administrative Aria Operations access can disclose other users’ credentials. This flaw carries a CVSSv3 score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).
Administrators should upgrade Aria Operations to 8.18.5 or apply the KB92148 patch for earlier Cloud Foundation versions. CVE-2025-41246 is an improper authorization vulnerability in VMware Tools for Windows (all 12.x and 13.x releases).
A malicious user already authenticated via vCenter or ESX could pivot to other guest VMs if they know the target VM credentials. Its CVSSv3 score is 7.6 (AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
Remediation requires updating VMware Tools for Windows to 13.0.5 or 12.5.4.
CVE ID
Title
CVSSv3.1 Score
Severity
CVE-2025-41244
Local privilege escalation
7.8
Important
CVE-2025-41245
Information disclosure
4.9
Important
CVE-2025-41246
Improper authorization
7.6
Important
Broadcom credits Maxime Thiebaut (NVISO), Sven Nobis and Lorin Lehawany (ERNW), and Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) for reporting these issues.
No workarounds exist for any of these vulnerabilities. All affected environments should implement the patches immediately issued by Broadcom.
Administrators without patching capability can temporarily restrict local VM user privileges and limit access to Aria Operations consoles.
Western Digital has released security updates for a critical vulnerability affecting multiple My Cloud network-attached storage (NAS) devices.
The flaw, tracked as CVE-2025-30247, could allow a remote attacker to execute arbitrary code on vulnerable systems, potentially leading to a complete device takeover.
The company addressed the high-severity issue in My Cloud Firmware version 5.31.108, which was released on September 24, 2025.
A successful exploit of this remote code execution (RCE) vulnerability would enable an unauthenticated attacker to compromise the security of the NAS device.
This could result in data theft, the deployment of malware or ransomware, or the integration of the compromised device into a botnet for use in further attacks.
Given that NAS devices often store sensitive personal and business data, the impact of such a compromise could be severe.
Western Digital has strongly urged all users to promptly update their devices to the latest firmware to mitigate the threat. The update can be applied directly through the firmware update notification within the device’s administrative interface.
The advisory credits security researcher w1th0ut for discovering and responsibly reporting the vulnerability, allowing the company to develop and issue a patch.
Affected Devices and Mitigation
The security update is crucial for a wide range of products in the My Cloud family. Western Digital has confirmed that the following devices are impacted and should be updated to firmware version 5.31.108 or later to be protected against CVE-2025-30247.
My Cloud PR2100
My Cloud PR4100
My Cloud EX4100
My Cloud EX2 Ultra
My Cloud Mirror Gen 2
My Cloud DL2100
My Cloud EX2100
My Cloud DL4100
My Cloud WDBCTLxxxxxx-10
My Cloud
This incident highlights the ongoing security risks associated with internet-connected storage devices. Threat actors frequently scan for and target unpatched NAS systems due to the valuable data they contain.
Applying security patches as soon as they become available is one of the most effective measures users can take to protect their data from unauthorized access and cyberattacks.
Users are advised to review their device settings and ensure that automatic updates are enabled, where possible, to maintain security.
Broadcom released VMSA-2025-0016 to address three key vulnerabilities affecting VMware vCenter Server and NSX products. The vulnerabilities include an SMTP header injection in vCenter (CVE-2025-41250) and two distinct username enumeration flaws in NSX (CVE-2025-41251 and CVE-2025-41252). All three are rated in the Important severity range with CVSSv3 scores between 7.5 and 8.5. CVE ID Description CVSSv3 Affected […]
Apple has rolled out security updates across its operating systems to address a vulnerability in the Font Parser component that could allow malicious fonts to crash applications or corrupt process memory.
The vulnerability, identified as CVE-2025-43400, affects a wide range of products, including the newly released macOS Tahoe and iOS 26, as well as older versions.
The vulnerability is an out-of-bounds write issue in FontParser. This type of memory safety flaw enables a program to write data beyond the end of an allocated buffer, resulting in unpredictable behavior.
An attacker could exploit this by embedding a specially crafted font in a document, email, or webpage. When a user interacts with this content, the vulnerable Font Parser component may be triggered, potentially leading to app termination or memory corruption.
Apple has addressed the issue by implementing improved bounds checking, ensuring the software stays within its designated memory space when processing font data.
According to Apple’s advisory released on September 29, 2025, there are no known instances of this vulnerability being exploited in the wild.
It remains unclear whether the flaw could be leveraged for arbitrary code execution, which would be a more severe threat. However, the potential for denial-of-service attacks or memory corruption makes it a critical issue that needs to be addressed.
The security fix affects a wide range of Apple products, underscoring the shared codebase across its ecosystem.
While Apple also released updates for watchOS and tvOS, they did not include patches for this vulnerability. Users are strongly encouraged to apply the latest updates to all affected devices to mitigate any potential risk.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical security flaw impacting the Sudo command-line utility for Linux and Unix-like operating systems to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The vulnerability in question is CVE-2025-32463 (CVSS score: 9.3), which affects Sudo versions prior to
Luxury department store Harrods has become the latest victim of a significant cybersecurity incident after hackers successfully accessed personal data belonging to 430,000 customers. The prestigious London retailer confirmed that threat actors contacted the company following the breach, though Harrods has stated it will not engage with the attackers. Limited Data Exposure The compromised information was obtained from […]
VMware has disclosed critical security vulnerabilities in vCenter Server and NSX platforms that could allow attackers to enumerate valid usernames and manipulate system notifications.
The vulnerabilities, tracked as CVE-2025-41250, CVE-2025-41251, and CVE-2025-41252, affect multiple VMware products, including Cloud Foundation, vSphere Foundation, NSX, NSX-T, and Telco Cloud platforms.
Broadcom, which acquired VMware, released a security advisory on September 29, 2025, rating the vulnerabilities with CVSS base scores ranging from 7.5 to 8.5, classifying them as “Important” severity.
The National Security Agency (NSA) reported two of the three vulnerabilities, highlighting their potential national security implications.
vCenter SMTP Header Injection Vulnerability
The first vulnerability, CVE-2025-41250, is an SMTP header injection flaw in VMware vCenter Server with a CVSS score of 8.5.
This vulnerability enables malicious actors with non-administrative privileges who have permission to create scheduled tasks to manipulate notification emails sent for those tasks.
The attack vector requires authenticated access to vCenter with task creation permissions. By exploiting SMTP header injection techniques, attackers can modify email headers, potentially redirecting notifications, inserting malicious content, or bypassing email security filters.
This could lead to social engineering attacks, credential harvesting, or unauthorized disclosure of information through manipulated email communications.
Affected products include vCenter Server versions 7.0, 8.0, and 9.x across various VMware Cloud Foundation and vSphere Foundation deployments.
The vulnerability impacts VMware Telco Cloud Platform versions 2.x through 5.x and Telco Cloud Infrastructure versions 2.x and 3.x.
Per von Zweigbergk receives acknowledgment for responsibly disclosing this vulnerability to Broadcom. No workarounds are available, requiring organizations to apply the provided security patches immediately.
NSX Username Enumeration Vulnerabilities
Two separate username enumeration vulnerabilities affect NSX platforms, creating pathways for reconnaissance attacks.
CVE-2025-41251, with a CVSS score of 8.1, represents a weak password recovery mechanism vulnerability allowing unauthenticated attackers to enumerate valid usernames through password recovery processes.
CVE-2025-41252, scoring 7.5 on the CVSS scale, is a direct username enumeration vulnerability that permits unauthenticated malicious actors to identify valid usernames without requiring authentication.
Both vulnerabilities can serve as reconnaissance tools for subsequent brute-force attacks or targeted credential stuffing campaigns.
Username enumeration attacks typically exploit differences in application responses when processing valid versus invalid usernames.
Attackers can analyze response times, error messages, HTTP status codes, or other behavioral patterns to determine which usernames exist in the system.
This information becomes valuable for password spraying attacks, social engineering campaigns, or targeted phishing attempts.
The NSX vulnerabilities affect VMware NSX versions 4.0.x through 4.2.x, NSX-T version 3.x, and NSX components within Cloud Foundation and Telco Cloud platforms.
Organizations running these platforms face immediate exposure to reconnaissance attacks that could facilitate broader compromise attempts.
Security patches are available through various fixed versions, including NSX 4.2.2.2, 4.2.3.1, 4.1.2.7, and NSX-T 3.2.4.3.
VMware Cloud Foundation users should implement asynchronous patching procedures documented in KB88287. Meanwhile, Telco Cloud Platform and Infrastructure users should refer to KB411518 for update guidance.
The NSA’s involvement in reporting these vulnerabilities underscores their significance for enterprise and government environments where VMware infrastructure provides critical virtualization and networking services.
Broadcom has already released patches that organizations should prioritize to address these vulnerabilities, as username enumeration could enable more sophisticated attack campaigns targeting virtualized infrastructure.
