A newly patched high-severity VMware vulnerability has been exploited as a zero-day since October 2024 for code execution with elevated privileges, NVISO Labs reviews.
Tracked as CVE-2025-41244 (CVSS rating of seven.8), the safety defect impacts each VMware Aria Operations and VMware Instruments.
VMware’s dad or mum firm Broadcom rolled out patches this week, warning that the flaw permits attackers to escalate their privileges to root on VMs which have VMware Instruments put in and are managed by Aria Operations with SDMP enabled, however made no point out of its in-the-wild exploitation.
The corporate’s public advisories usually warn clients if zero-day exploitation has been detected.
In line with NVISO, which was credited for the discover, a Chinese language state-sponsored risk actor tracked as UNC5174 has been exploiting the bug for a 12 months. UNC5174 was lately linked to an assault on cybersecurity agency SentinelOne.
“We are able to nonetheless not assess whether or not this exploit was a part of UNC5174’s capabilities or whether or not the zero-day’s utilization was merely unintentional resulting from its trivialness,” NVISO notes.
The vulnerability impacts VMware Aria Operations’ service and utility discovery function, which incorporates each legacy credential-based service discovery (by which VMware Instruments acts as a proxy for the operation) and credential-less service discovery (metrics assortment applied in VMware Instruments).
“As a part of its discovery, NVISO was in a position to verify the privilege escalation impacts each modes, with the logic flaw therefore being respectively situated inside VMware Aria Operations (in credential-based mode) and the VMware Instruments (in credential-less mode),” NVISO explains.Commercial. Scroll to proceed studying.
Noting that profitable exploitation of CVE-2025-41244 permits unprivileged customers to execute code with root privileges, NVISO warns that the open supply variant of VMware Instruments, specifically open-vm-tools, which is included in main Linux distributions, can also be impacted.
Open-vm-tools’ discovery operate, NVISO says, calls a operate that takes as argument an everyday expression sample that checks it to match supported service binaries.
Nevertheless, as a result of the operate makes use of the broad‑matching S character class in a number of regex patterns, it additionally matches non-system binaries situated in directories writable to non-privileged customers.
Thus, an attacker can abuse a susceptible open-vm-tools iteration by staging a malicious binary in a broadly-matched common expression path, and will probably be elevated for model discovery.
UNC5174, NVISO notes, has been exploiting the safety weak point by inserting malicious binaries within the /tmp/httpd folder. To be elevated, the binaries are executed with low privileges and open a random listening socket.
Broadcom mounted the flaw in recent releases of VMware Cloud Basis, vSphere Basis, Aria Operations, Telco Cloud Platform, and VMware Instruments, and famous that fixes for open-vm-tools might be distributed by Linux distributors.
To detect CVE-2025-41244’s exploitation, organizations ought to search for unusual little one processes. In environments with out monitoring, evaluation of lingering metrics collector scripts and outputs in legacy credential-based mode ought to verify the exploitation.
“The broad apply of mimicking system binaries (e.g., httpd) highlights the actual chance that a number of different malware strains have unintentionally been benefiting from unintended privilege escalations for years,” NVISO says, noting that the bug might simply be discovered within the open-vm-tools supply code by risk actors.
Associated: Name for Displays Open for 2025 CISO Discussion board Digital Summit
Associated: Google Patches Gemini AI Hacks Involving Poisoned Logs, Search Outcomes
Associated: Apple Updates iOS and macOS to Forestall Malicious Font Assaults
Associated: Organizations Warned of Exploited Sudo Vulnerability
