VMware has released an advisory to address three high-severity vulnerabilities in VMware Aria Operations, VMware Tools, VMware Cloud Foundation, VMware Telco Cloud Platform, and VMware Telco Cloud Infrastructure.
Disclosed on 29 September 2025, the advisory covers CVE-2025-41244, CVE-2025-41245, and CVE-2025-41246 with CVSSv3 base scores ranging from 4.9 to 7.8.
Administrators must apply the patched versions immediately to prevent local privilege escalation, information disclosure, and improper authorization exploits.
Local Privilege Escalation Flaw (CVE-2025-41244)
CVE-2025-41244 is a local privilege escalation vulnerability impacting VMware Aria Operations (all 8.x versions), VMware Tools (12.x, 13.x), and VMware Cloud Foundation Operations.
A malicious local actor with non-administrative privileges on a VM with VMware Tools installed and managed by Aria Operations (SDMP enabled) can exploit this flaw to escalate privileges to root.
Broadcom assigned a CVSSv3 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Resolution requires upgrading to:
Fixed versions include Aria Operations 8.18.5, VMware Tools 13.0.5.0 and 12.5.4, and Cloud Foundation Operations 9.0.1.0. No workarounds are available.
Information Disclosure and Improper Authorization Flaws
CVE-2025-41245 introduces an information disclosure vulnerability in VMware Aria Operations.
An attacker with non-administrative Aria Operations access can disclose other users’ credentials. This flaw carries a CVSSv3 score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).
Administrators should upgrade Aria Operations to 8.18.5 or apply the KB92148 patch for earlier Cloud Foundation versions. CVE-2025-41246 is an improper authorization vulnerability in VMware Tools for Windows (all 12.x and 13.x releases).
A malicious user already authenticated via vCenter or ESX could pivot to other guest VMs if they know the target VM credentials. Its CVSSv3 score is 7.6 (AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
Remediation requires updating VMware Tools for Windows to 13.0.5 or 12.5.4.
| CVE ID | Title | CVSSv3.1 Score | Severity |
| CVE-2025-41244 | Local privilege escalation | 7.8 | Important |
| CVE-2025-41245 | Information disclosure | 4.9 | Important |
| CVE-2025-41246 | Improper authorization | 7.6 | Important |
Broadcom credits Maxime Thiebaut (NVISO), Sven Nobis and Lorin Lehawany (ERNW), and Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) for reporting these issues.
No workarounds exist for any of these vulnerabilities. All affected environments should implement the patches immediately issued by Broadcom.
Administrators without patching capability can temporarily restrict local VM user privileges and limit access to Aria Operations consoles.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
