Broadcom Addresses Actively Exploited Vulnerability in VMware Aria Operations and VMware Tools (CVE-2025-41244)

Broadcom disclosed a local privilege escalation vulnerability affecting VMware’s guest service discovery features. Tracked as CVE-2025-41244, successful exploitation of the vulnerability may allow an unprivileged user to escalate privileges. Maxime Thiebaut from NVISO Labs discovered and reported the vulnerability to Broadcom.

The security researcher at NVISO Labs claims that the vulnerability has been exploited in the wild as a zero-day since mid-October 2024 by a threat actor named UNC5174, a China-linked state-sponsored group.

Vulnerability Details

An attacker must have non-administrative privileges to access a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled to exploit the vulnerability. Upon successful exploitation of the vulnerability, an attacker may escalate privileges to root on the same VM.

Proof of Concept

NVISO provides a PoC that stages a malicious binary (/tmp/httpd) that listens on a socket. Once VMware’s discovery function runs, it triggers the binary with version arguments, escalating privileges to root. The blog demonstrates how the exploit can be executed in credential-based and credential-less modes. When testing, the PoC results in a root shell, confirming full privilege escalation.

Affected Products and Fixed Versions

Product Component Version Running On Fixed Version
VMware Cloud Foundation

VMware vSphere Foundation

VMware Cloud Foundation Operations 9.x.x.x Any 9.0.1.0
VMware Cloud Foundation  VMware Tools 13.x.x.x Windows, Linux 13.0.5.0
VMware vSphere Foundation        
VMware Aria Operations VMware Aria Operations 8.x Any 8.18.5
VMware Tools N/A 13.x.x Windows, Linux  13.0.5
VMware Tools N/A 12.x.x, 11.x.x Windows, Linux 12.5.4
VMware Cloud Foundation VMware Aria Operations 5.x, 4.x  Any KB92148
VMware Telco Cloud Platform VMware Aria Operations 5.x, 4.x  Any 8.18.5
VMware Telco Cloud Infrastructure VMware Aria Operations 3.x, 2.x Any 8.18.5
Notes:
  • VMware Tools 12.4.9, part of VMware Tools 12.5.4, also addresses the issue for Windows 32-bit.
  • Linux vendors will distribute a version of open-vm-tools that addresses CVE-2025-41244.

For more information about the mitigation, please refer to VMware Security Advisory (VMSA-2025-0015).

Qualys Detection

Qualys customers can scan their devices with QID 733250 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149

Leave a Reply

Your email address will not be published. Required fields are marked *