A zero-day local privilege escalation vulnerability in VMware Tools and VMware Aria Operations is being actively exploited in the wild. The flaw, tracked as CVE-2025-41244, allows an unprivileged local attacker to gain root-level code execution on affected systems.
On September 29, 2025, Broadcom disclosed the vulnerability, which exists within VMware’s guest service discovery features. However, security firm NVISO reported identifying zero-day exploitation of this flaw dating back to mid-October 2024 during incident response engagements.
The vulnerability impacts both VMware Tools and VMware Aria Operations, key components used for managing virtualized environments. Successful exploitation allows a user with low privileges to execute arbitrary code within a privileged context, such as the root user on Linux systems.
The flaw affects two distinct service discovery modes:
- Credential-less service discovery: In this mode, the vulnerability lies within the VMware Tools component itself, which is widely deployed on guest virtual machines.
- Legacy credential-based service discovery: Here, the flaw is located within VMware Aria Operations, the management platform for hybrid-cloud workloads.
NVISO researchers confirmed the flaw exists in the open-source variant of VMware Tools, open-vm-tools, which is distributed with most major Linux distributions.
0-Day Vulnerability Exploitation
The root cause of CVE-2025-41244 is an Untrusted Search Path weakness (CWE-426) in the get-versions.sh script, which is responsible for identifying the versions of services running on a virtual machine.
The script uses overly broad regular expressions to locate service binaries. For example, a pattern like /S+/httpd is designed to find the Apache web server binary, but will also match a file named httpd located in a user-writable directory like /tmp.
An attacker can exploit this by placing a malicious executable at a path like /tmp/httpd. They then run this malicious process and have it open a listening socket. When the VMware service discovery process runs (typically every five minutes), it scans for running services.
The flawed script will find and execute the attacker’s malicious binary with the -v flag to get its version, but it does so with the elevated privileges of the VMware Tools service. This provides the attacker with a root shell, granting them full control over the system.
NVISO has attributed the in-the-wild exploitation to UNC5174, a threat actor believed to be sponsored by the Chinese state. This group has a history of leveraging public exploits for initial access operations.
However, researchers noted that due to the trivial nature of the exploit and the common threat actor practice of naming malware after system binaries (e.g., httpd), it is unclear if UNC5174 exploited the flaw intentionally or accidentally. It is possible that other malware has been unintentionally benefiting from this privilege escalation for years.
Organizations can detect exploitation by monitoring for unusual child processes spawned by vmtoolsd or the get-versions.sh script. In credential-based mode, forensic evidence may be found in lingering script files located in /tmp/VMware-SDMP-Scripts-{UUID}/ directories.
Broadcom has released patches and published a security advisory to address CVE-2025-41244, and users are urged to apply the updates immediately.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
