Broadcom disclosed a local privilege escalation vulnerability affecting VMware’s guest service discovery features. Tracked as CVE-2025-41244, successful exploitation of the vulnerability may allow an unprivileged user to escalate privileges. Maxime Thiebaut from NVISO Labs discovered and reported the vulnerability to Broadcom.
The security researcher at NVISO Labs claims that the vulnerability has been exploited in the wild as a zero-day since mid-October 2024 by a threat actor named UNC5174, a China-linked state-sponsored group.
Vulnerability Details
An attacker must have non-administrative privileges to access a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled to exploit the vulnerability. Upon successful exploitation of the vulnerability, an attacker may escalate privileges to root on the same VM.
Qualys Threat Intelligence provided a Qualys Vulnerability Score (QVS) of 95 for the vulnerability. Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS and external threat indicators like active exploitation, exploit code maturity, CISA known exploitable, and many more.
Proof of Concept
NVISO provides a PoC that stages a malicious binary (/tmp/httpd) that listens on a socket. Once VMware’s discovery function runs, it triggers the binary with version arguments, escalating privileges to root. The blog demonstrates how the exploit can be executed in credential-based and credential-less modes. When testing, the PoC results in a root shell, confirming full privilege escalation.
Affected Products and Fixed Versions
| Product | Component | Version | Running On | Fixed Version |
| VMware Cloud Foundation
VMware vSphere Foundation |
VMware Cloud Foundation Operations | 9.x.x.x | Any | 9.0.1.0 |
| VMware Cloud Foundation | VMware Tools | 13.x.x.x | Windows, Linux | 13.0.5.0 |
| VMware vSphere Foundation | ||||
| VMware Aria Operations | VMware Aria Operations | 8.x | Any | 8.18.5 |
| VMware Tools | N/A | 13.x.x | Windows, Linux | 13.0.5 |
| VMware Tools | N/A | 12.x.x, 11.x.x | Windows, Linux | 12.5.4 |
| VMware Cloud Foundation | VMware Aria Operations | 5.x, 4.x | Any | KB92148 |
| VMware Telco Cloud Platform | VMware Aria Operations | 5.x, 4.x | Any | 8.18.5 |
| VMware Telco Cloud Infrastructure | VMware Aria Operations | 3.x, 2.x | Any | 8.18.5 |
Notes:
- VMware Tools 12.4.9, part of VMware Tools 12.5.4, also addresses the issue for Windows 32-bit.
- Linux vendors will distribute a version of open-vm-tools that addresses CVE-2025-41244.
For more information about the mitigation, please refer to VMware Security Advisories VMSA-2025-0015 and VMSA-2025-0016.
Qualys Detection
Qualys customers can scan their devices with QIDs 733250 and 385437 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149