Broadcom Fails to Disclose Zero-Day Exploitation of Vmware Vulnerability

Posted3 months agoActive3 months ago

Bender

64 points

7 comments

securityweek.comTechstory

heatednegative

Debate

70/100

Vmware VulnerabilityBroadcomCybersecurity

Key topics

Vmware Vulnerability

Broadcom

Cybersecurity

Broadcom is criticized for failing to disclose a zero-day exploitation of a VMware vulnerability, with commenters expressing frustration over the company's handling of the issue and its impact on users.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

37m

Peak period

3-4h

Avg / period

1.8

Key moments

01Story posted
Oct 1, 2025 at 8:41 AM EDT
3 months ago
Step 01
02First comment
Oct 1, 2025 at 9:18 AM EDT
37m after posting
Step 02
03Peak activity
3 comments in 3-4h
Hottest window of the conversation
Step 03
04Latest activity
Oct 1, 2025 at 12:56 PM EDT
3 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (7 comments)

Showing 7 comments

garganzol

3 months ago

2 replies

To add an insult to the injury, Broadcom totally wrecked the update process for existing VMware installations. They killed update servers and domains, everything is annihilated.

A cherry on the top: you need to pass a quest of registrations and approvals before you ever be able to have an opportunity to get access to any VMware software download. Good luck updating your software, folks.

chuckadams

3 months ago

1 reply

Broadcom seems really determined to drive everyone away from VMWare at this point. I think they looked at pre-1990's IBM that locked everything up into service contracts top to bottom and decided that would be their business model. Makes Oracle look like GNU by comparison.

stackskipton

3 months ago

> Broadcom seems really determined to drive everyone away from VMWare at this point.

They are but this a shit ton of money to be earned while doing so. VMWare is so cemented at companies that migration for many is going to be almost impossible.

>pre-1990's IBM that locked everything up into service contracts top to bottom

IBM still has a ton of those service contracts. It's small amount of their overall revenue but it's not nothing. 10 years from now, big F500 will still be on VMware paying insane amounts of money.

RiverCrochet

3 months ago

I wanted to update to the latest version of the free VMWare Workstation, and since the auto updating didn't work anymore I tried to go to the Broadcom site to see if I could manually download it.

I was able to get to a download page for the latest version after making an account and traversing some confusing stuff, but it did want my real name and address before it would give me the download.

miladyincontrol

3 months ago

Good reason as to why even in vms, services should be containerized such as with nspawn, ideally distroless if sanely doable for the service.

Not that containerization should be your only protection either, but generally I prefer random users not to have opportunity to just create and run arbitrary executables in default namespace.

chuckadams

3 months ago

That's going to cost them big time in the EU when the CRA goes into full effect in a couple years. Theoretically anyway.

_alternator_

3 months ago

According to the discoverer, NVISO: “We can however not assess whether this exploit was part of UNC5174’s capabilities or whether the zero-day’s usage was merely accidental due to its trivialness.”

This may explain the failure to notify of a 0day, since it seemed to be exploited accidentally in the course of a more sophisticated operation.

But that doesn’t excuse the lack of disclosure IMO. If it’s so trivial you could accidentally exploit it, seems bad.

View full discussion on Hacker News

ID: 45437003Type: storyLast synced: 11/20/2025, 2:43:43 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN