Organizations using VMware hypervisors face an urgent threat as a local privilege escalation zero-day, tracked as CVE-2025-41244, is under active exploitation in the wild.
Both VMware Tools and VMware Aria Operations’ Service Discovery Management Pack (SDMP) are affected, enabling unprivileged users to achieve root-level code execution without authentication.
The vulnerability has been weaponized by the UNC5174 threat group since mid-October 2024, heightening the risk of advanced persistent threats within hybrid-cloud environments.
| CVE | Affected Components | Impact | Exploit Prerequisite | CVSS 3.1 Score |
| CVE-2025-41244 | VMware Tools (open-vm-tools) and VMware Aria Operations’ SDMP | Local Privilege Escalation | Local unprivileged user | 7.8 |
VMware Aria Operations, part of the VMware Aria Suite, provides performance insights and capacity planning across virtual machines via the SDMP plugin. Service discovery can operate in two modes:
- Credential-based mode: VMware Aria Operations executes metrics-collector scripts within the guest VM under specified administrative credentials; VMware Tools acts as a proxy.
- Credential-less mode: VMware Tools itself handles metrics collection under its privileged context, requiring no credentials.
NVISO’s analysis confirmed that CVE-2025-41244 exists in both modes within Aria Operations scripts in the first, and within the open-source VMware Tools (open-vm-tools) in the second due to overly broad regex patterns in the get-versions.sh component.
Vulnerability Details
Within get-versions.sh, the get_version() function iterates through processes with listening sockets and executes matched binaries to retrieve their versions.
Several regex patterns use the non-whitespace shorthand S, unintentionally matching user-writable directories (e.g., /tmp/httpd).
This allows an attacker to stage a malicious binary in such locations and have VMware’s privileged context execute it.
get_version "/S+/(httpd-prefork|httpd|httpd2-prefork)($|s)" -vget_version "/S+/mysqld($|s)" -VBy mimicking system binaries in writable paths, CVE-2025-41244 violates CWE-426: Untrusted Search Path, providing trivial LPE opportunities.
A PoC written in Go demonstrates the exploit, the attacker’s unprivileged process opens a listening socket under /tmp/httpd, then VMware Tools or Aria Operations invokes it with a -v flag.
The binary, when invoked, connects back over a UNIX socket to spawn a root shell.
In practice, Aria Operations’ credential-based collector runs every five minutes, while credential-less collection is automatic within VMware Tools.
Mitigation & Recommendations
- Immediate patching: Apply Broadcom’s advisory updates to both VMware Tools and Aria Operations.
- Process monitoring: Alert on child processes of vmtoolsd or Aria SDMP that originate from non-standard paths.
- Filesystem hardening: Restrict write permissions on directories included in regex patterns (e.g., /tmp).
- Network isolation: Limit guest VM access to internal networks to reduce attacker entry points.
CVE-2025-41244 exemplifies how minor logic flaws in service discovery can lead to severe privilege escalations.
Its trivial exploitation and UNC5174’s real-world usage underscore the need for swift patch management, robust process monitoring, and hardened guest VM environments to thwart similar zero-day attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
