A critical zero-day vulnerability, identified as CVE-2025-41244, has been discovered in VMware Tools and VMware Aria Operations, posing significant security risks to virtualized environments. This flaw enables unprivileged local users to escalate their privileges to root level, potentially leading to unauthorized code execution and system compromise.
Discovery and Disclosure
On September 29, 2025, Broadcom publicly disclosed CVE-2025-41244, highlighting its presence within VMware’s guest service discovery features. However, security firm NVISO reported that this vulnerability had been exploited in the wild as early as mid-October 2024 during their incident response activities. The exploitation has been attributed to UNC5174, a threat actor believed to be sponsored by the Chinese state, known for leveraging public exploits for initial access operations.
Technical Details
The vulnerability resides in the `get-versions.sh` script, a component responsible for identifying service versions running on a virtual machine. The script employs overly broad regular expressions to locate service binaries. For instance, a pattern like `/\S+/httpd` is intended to find the Apache web server binary but can also match a file named `httpd` located in user-writable directories such as `/tmp`.
An attacker can exploit this by placing a malicious executable at a path like `/tmp/httpd`. By running this malicious process and opening a listening socket, the VMware service discovery process, which typically runs every five minutes, will scan for running services. Due to the flawed script, it will find and execute the attacker’s malicious binary with the `-v` flag to get its version, but it does so with the elevated privileges of the VMware Tools service. This provides the attacker with a root shell, granting them full control over the system.
Affected Components
The vulnerability impacts two distinct service discovery modes:
1. Credential-less Service Discovery: In this mode, the vulnerability lies within the VMware Tools component itself, which is widely deployed on guest virtual machines.
2. Legacy Credential-based Service Discovery: Here, the flaw is located within VMware Aria Operations, the management platform for hybrid-cloud workloads.
Notably, the open-source variant of VMware Tools, `open-vm-tools`, distributed with most major Linux distributions, is also affected.
Exploitation in the Wild
NVISO’s research indicates that the in-the-wild exploitation of CVE-2025-41244 has been ongoing since mid-October 2024. The exploitation has been attributed to UNC5174, a threat actor believed to be sponsored by the Chinese state, known for leveraging public exploits for initial access operations. However, due to the trivial nature of the exploit and the common threat actor practice of naming malware after system binaries (e.g., `httpd`), it is unclear if UNC5174 exploited the flaw intentionally or accidentally. It is possible that other malware has been unintentionally benefiting from this privilege escalation for years.
Detection and Mitigation
Organizations can detect exploitation by:
– Monitoring for Unusual Child Processes: Keep an eye on child processes spawned by `vmtoolsd` or the `get-versions.sh` script.
– Forensic Analysis: In credential-based mode, forensic evidence may be found in lingering script files located in `/tmp/VMware-SDMP-Scripts-{UUID}/` directories.
Recommendations
To mitigate the risks associated with CVE-2025-41244, organizations should:
1. Immediate Patching: Apply Broadcom’s advisory updates to VMware Tools and Aria Operations as soon as they are available.
2. Process Monitoring: Configure alerts for child processes of `vmtoolsd` or the Aria SDMP service originating from non-standard paths.
3. Filesystem Hardening: Restrict write permissions on directories matched by the vulnerable regex patterns (e.g., `/tmp`).
4. Network Isolation: Enforce strict guest VM network segmentation to limit potential attacker entry points.
Conclusion
The discovery of CVE-2025-41244 underscores the critical importance of timely vulnerability management and the need for organizations to stay vigilant against emerging threats. By promptly applying patches and implementing robust monitoring and security practices, organizations can protect their virtualized environments from potential exploitation.
