Sep 30, 2025Ravie LakshmananZero-Day / Vulnerability
A newly patched safety flaw impacting Broadcom VMware Instruments and VMware Aria Operations has been exploited within the wild as a zero-day since mid-October 2024 by a risk actor referred to as UNC5174, in keeping with NVISO Labs.
The vulnerability in query is CVE-2025-41244 (CVSS rating: 7.8), an area privilege escalation bug affecting the next variations –
VMware Cloud Basis 4.x and 5.x
VMware Cloud Basis 9.x.x.x
VMware Cloud Basis 13.x.x.x (Home windows, Linux)
VMware vSphere Basis 9.x.x.x
VMware vSphere Basis 13.x.x.x (Home windows, Linux)
VMware Aria Operations 8.x
VMware Instruments 11.x.x, 12.x.x, and 13.x.x (Home windows, Linux)
VMware Telco Cloud Platform 4.x and 5.x
VMware Telco Cloud Infrastructure 2.x and three.x
“A malicious native actor with non-administrative privileges gaining access to a VM with VMware Instruments put in and managed by Aria Operations with SDMP enabled might exploit this vulnerability to escalate privileges to root on the identical VM,” VMware stated in an advisory launched Monday.
The truth that it is a native privilege escalation implies that the adversary should safe entry to the contaminated machine via another means.
NVISO researcher Maxime Thiebaut has been credited for locating and reporting the shortcoming on Might 19, 2025, throughout an incident response engagement. The corporate additionally stated VMware Instruments 12.4.9, which is a part of VMware Instruments 12.5.4, remediates the difficulty for Home windows 32-bit techniques, and {that a} model of open-vm-tools that addresses CVE-2025-41244 shall be distributed by Linux distributors.
The weak get_version() perform
Whereas Broadcom makes no point out of it being exploited in real-world assaults, NVISO Labs attributed the exercise to a China-linked risk actor Google Mandiant tracks as UNC5174 (aka Uteus or Uetus), which has a monitor file of exploiting varied safety flaws, together with these impacting Ivanti and SAP NetWeaver, to acquire preliminary entry to focus on environments.
“When profitable, exploitation of the native privilege escalation leads to unprivileged customers reaching code execution in privileged contexts (e.g., root),” Thiebaut stated. “We are able to nevertheless not assess whether or not this exploit was a part of UNC5174’s capabilities or whether or not the zero-day’s utilization was merely unintended as a result of its trivialness.”
NVISO stated the vulnerability is rooted in a perform referred to as “get_version()” that takes an everyday expression (regex) sample as enter for every course of with a listening socket, checks whether or not the binary related to that course of matches the sample, and, in that case, invokes the supported service’s model command.
“Whereas this performance works as anticipated for system binaries (e.g., /usr/bin/httpd), the utilization of the broad‑matching S character class (matching non‑whitespace characters) in a number of of the regex patterns additionally matches non-system binaries (e.g., /tmp/httpd),” Thiebaut defined. “These non-system binaries are situated inside directories (e.g., /tmp) that are writable to unprivileged customers by design.”
Consequently, this opens the door to potential abuse by an unprivileged native attacker by staging the malicious binary at “/tmp/httpd,” leading to privilege escalation when the VMware metrics assortment service is executed. All a foul actor requires to abuse the flaw is to make sure that the binary is run by an unprivileged consumer and it opens a random listening socket.
The Brussels-based cybersecurity firm famous that it noticed UNC5174 utilizing the “/tmp/httpd” location to stage the malicious binary and spawn an elevated root shell and obtain code execution. The precise nature of the payload executed utilizing this technique is unclear at this stage.
“The broad observe of mimicking system binaries (e.g., httpd) highlights the actual risk that a number of different malware strains have by chance been benefiting from unintended privilege escalations for years,” Thiebaut stated.
