Organizations running VMware hypervisors face a critical threat as a local privilege escalation zero-day, tracked as CVE-2025-41244, is under active exploitation in the wild.
This vulnerability impacts both VMware Tools (open-vm-tools) and VMware Aria Operations’ Service Discovery Management Pack (SDMP), enabling unprivileged users to achieve root-level code execution without authentication.
The UNC5174 threat group has weaponized this flaw since mid-October 2024, putting hybrid-cloud environments at significant risk of advanced persistent threats.
Vulnerability Overview
CVE-2025-41244 arises from overly broad regular expression patterns in the get-versions.sh component used by VMware Tools and Aria Operations SDMP.
The script’s get_version() function scans for listening sockets, then invokes matched binaries to retrieve version information.
However, its use of the non-whitespace shorthand \S unintentionally includes user-writable directories such as /tmp/httpd.
Attackers can stage malicious binaries in these locations, which the privileged VMware context will execute.
Example vulnerable calls in get-versions.sh:
bashget_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)" -v
get_version "/\S+/mysqld($|\s)" -V
By mimicking system binaries in writable paths, CVE-2025-41244 violates CWE-426: Untrusted Search Path, offering trivial local privilege escalation (LPE) opportunities.
A proof-of-concept written in Go demonstrates the exploit: an unprivileged process opens a listening socket under /tmp/httpd, then VMware Tools or Aria Operations invokes it with a -v flag.
The malicious binary, when executed, connects back over a UNIX socket to spawn a root shell.
In Aria Operations’ credential-based mode, the metrics collector runs every five minutes under specified administrative credentials.
In credential-less mode, open-vm-tools handles metrics collection under its privileged context, making exploitation automatic once the malicious binary is in place.
CVE Details
| CVE | Affected Components | Impact | Exploit Prerequisite | CVSS 3.1 Score |
|---|---|---|---|---|
| CVE-2025-41244 | VMware Tools (open-vm-tools) and VMware Aria Operations’ SDMP | Local Privilege Escalation | Local unprivileged user | 7.8 |
Mitigation & Recommendations
To defend against CVE-2025-41244, organizations should:
- Immediate Patching: Apply Broadcom’s advisory updates to VMware Tools and Aria Operations as soon as they are available.
- Process Monitoring: Configure alerts for child processes of
vmtoolsdor the Aria SDMP service originating from non-standard paths. - Filesystem Hardening: Restrict write permissions on directories matched by the vulnerable regex patterns (e.g.,
/tmp). - Network Isolation: Enforce strict guest VM network segmentation to limit potential attacker entry points.
CVE-2025-41244 exemplifies how minor logic flaws in service discovery scripts can lead to severe privilege escalations.
Its trivial exploitation mechanism and documented use by UNC5174 underscore the imperative for rapid patch management, comprehensive process monitoring, and hardened guest VM environments to thwart current and future zero-day attacks.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=This vulnerability impacts both VMware Tools (open-vm-tools) and VMware Aria Operations’ Service Discovery Management Pack (SDMP)){kind=link}