Broadcom Addresses Actively Exploited Vulnerability in VMware Aria Operations and VMware Tools (CVE-2025-41244)

Broadcom disclosed a local privilege escalation vulnerability affecting VMware’s guest service discovery features. Tracked as CVE-2025-41244, successful exploitation of the vulnerability may allow an unprivileged user to escalate privileges. Maxime Thiebaut from NVISO Labs discovered and reported the vulnerability to Broadcom.

The security researcher at NVISO Labs claims that the vulnerability has been exploited in the wild as a zero-day since mid-October 2024 by a threat actor named UNC5174, a China-linked state-sponsored group.

Vulnerability Details

An attacker must have non-administrative privileges to access a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled to exploit the vulnerability. Upon successful exploitation of the vulnerability, an attacker may escalate privileges to root on the same VM.

Qualys Threat Intelligence provided a Qualys Vulnerability Score (QVS) of 95 for the vulnerability. Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS and external threat indicators like active exploitation, exploit code maturity, CISA known exploitable, and many more.

Proof of Concept

NVISO provides a PoC that stages a malicious binary (/tmp/httpd) that listens on a socket. Once VMware’s discovery function runs, it triggers the binary with version arguments, escalating privileges to root. The blog demonstrates how the exploit can be executed in credential-based and credential-less modes. When testing, the PoC results in a root shell, confirming full privilege escalation.

Affected Products and Fixed Versions

Product Component Version Running On Fixed Version
VMware Cloud Foundation

VMware vSphere Foundation

VMware Cloud Foundation Operations 9.x.x.x Any 9.0.1.0
VMware Cloud Foundation  VMware Tools 13.x.x.x Windows, Linux 13.0.5.0
VMware vSphere Foundation        
VMware Aria Operations VMware Aria Operations 8.x Any 8.18.5
VMware Tools N/A 13.x.x Windows, Linux  13.0.5
VMware Tools N/A 12.x.x, 11.x.x Windows, Linux 12.5.4
VMware Cloud Foundation VMware Aria Operations 5.x, 4.x  Any KB92148
VMware Telco Cloud Platform VMware Aria Operations 5.x, 4.x  Any 8.18.5
VMware Telco Cloud Infrastructure VMware Aria Operations 3.x, 2.x Any 8.18.5
Notes:
  • VMware Tools 12.4.9, part of VMware Tools 12.5.4, also addresses the issue for Windows 32-bit.
  • Linux vendors will distribute a version of open-vm-tools that addresses CVE-2025-41244.

For more information about the mitigation, please refer to VMware Security Advisories VMSA-2025-0015 and VMSA-2025-0016.

Qualys Detection

Qualys customers can scan their devices with QIDs 733250 and 385437 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149

Leave a Reply

Your email address will not be published. Required fields are marked *