A zero-day native privilege escalation vulnerability in VMware Instruments and VMware Aria Operations is being actively exploited within the wild. The flaw, tracked as CVE-2025-41244, permits an unprivileged native attacker to realize root-level code execution on affected techniques.
On September 29, 2025, Broadcom disclosed the vulnerability, which exists inside VMware’s visitor service discovery options. Nonetheless, safety agency NVISO reported figuring out zero-day exploitation of this flaw courting again to mid-October 2024 throughout incident response engagements.
The vulnerability impacts each VMware Instruments and VMware Aria Operations, key elements used for managing virtualized environments. Profitable exploitation permits a person with low privileges to execute arbitrary code inside a privileged context, corresponding to the foundation person on Linux techniques.
The flaw impacts two distinct service discovery modes:
Credential-less service discovery: On this mode, the vulnerability lies inside the VMware Instruments part itself, which is broadly deployed on visitor digital machines.
Legacy credential-based service discovery: Right here, the flaw is positioned inside VMware Aria Operations, the administration platform for hybrid-cloud workloads.
NVISO researchers confirmed the flaw exists within the open-source variant of VMware Instruments, open-vm-tools, which is distributed with most main Linux distributions.
0-Day Vulnerability Exploitation
The basis reason behind CVE-2025-41244 is an Untrusted Search Path weak point (CWE-426) within the get-versions.sh script, which is liable for figuring out the variations of providers working on a digital machine.
The script makes use of overly broad common expressions to find service binaries. For instance, a sample like /S+/httpd is designed to search out the Apache internet server binary, however may also match a file named httpd positioned in a user-writable listing like /tmp.
An attacker can exploit this by putting a malicious executable at a path like /tmp/httpd. They then run this malicious course of and have it open a listening socket. When the VMware service discovery course of runs (usually each 5 minutes), it scans for working providers.
The flawed script will discover and execute the attacker’s malicious binary with the -v flag to get its model, but it surely does so with the elevated privileges of the VMware Instruments service. This gives the attacker with a root shell, granting them full management over the system.
NVISO has attributed the in-the-wild exploitation to UNC5174, a risk actor believed to be sponsored by the Chinese language state. This group has a historical past of leveraging public exploits for preliminary entry operations.
Nonetheless, researchers famous that as a result of trivial nature of the exploit and the widespread risk actor follow of naming malware after system binaries (e.g., httpd), it’s unclear if UNC5174 exploited the flaw deliberately or unintentionally. It’s potential that different malware has been unintentionally benefiting from this privilege escalation for years.
Organizations can detect exploitation by monitoring for uncommon youngster processes spawned by vmtoolsd or the get-versions.sh script. In credential-based mode, forensic proof could also be present in lingering script information positioned in /tmp/VMware-SDMP-Scripts-{UUID}/ directories.
Broadcom has launched patches and revealed a safety advisory to deal with CVE-2025-41244, and customers are urged to use the updates instantly.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
