A critical security flaw in VMware Tools and VMware Aria Operations, identified as CVE-2025-41244 with a CVSS score of 7.8, has been actively exploited by the China-linked threat actor UNC5174 since mid-October 2024. This local privilege escalation vulnerability affects multiple VMware products, including VMware Cloud Foundation, VMware vSphere Foundation, VMware Aria Operations, VMware Tools, VMware Telco Cloud Platform, and VMware Telco Cloud Infrastructure.
The vulnerability allows a malicious local actor with non-administrative privileges to escalate their access to root on the same virtual machine (VM). Exploitation requires the attacker to have initial access to the VM, which can be achieved through various means such as phishing attacks, exploiting other vulnerabilities, or leveraging weak credentials.
The flaw resides in the get_version() function within VMware’s metrics collection process. This function uses a regular expression (regex) pattern to identify processes with listening sockets and invokes the version command for supported services. However, the regex pattern employed is overly broad, matching non-system binaries located in directories writable by unprivileged users, such as /tmp. This oversight enables an unprivileged local attacker to place a malicious binary in these directories, leading to privilege escalation when the VMware metrics collection is executed.
NVISO Labs, a Brussels-based cybersecurity firm, discovered this vulnerability during an incident response engagement on May 19, 2025. They observed UNC5174 exploiting this flaw by staging a malicious binary at /tmp/httpd, which, when executed, spawned an elevated root shell, granting the attacker full control over the system.
UNC5174, also known as Uteus or Uetus, has a history of exploiting various security flaws to gain initial access to target environments. Their activities include leveraging vulnerabilities in Ivanti and SAP NetWeaver systems. The exploitation of CVE-2025-41244 underscores the persistent threat posed by state-sponsored actors and the importance of timely vulnerability management.
In response to this discovery, VMware released patches to address the vulnerability. VMware Tools 12.4.9, part of VMware Tools 12.5.4, remediates the issue for Windows 32-bit systems. Additionally, a version of open-vm-tools that addresses CVE-2025-41244 will be distributed by Linux vendors. Organizations using affected VMware products are strongly advised to apply these patches promptly to mitigate the risk of exploitation.
This incident highlights the critical need for organizations to maintain robust security practices, including regular software updates, monitoring for unusual activity, and implementing least privilege access controls. As cyber threats continue to evolve, staying vigilant and proactive in addressing vulnerabilities is essential to safeguarding sensitive information and maintaining operational integrity.
