Warning: Local privilege escalation vulnerability in VMware Aria Operations and VMware Tools Can Be Exploited to gain root permissions, Proof of concept Available. Patch Immediately!

Image
Decorative image
Veröffentlicht : 01/10/2025
  • Last update: 30/09/2025
  • Affected software:
    → VMware Aria Operations 8.x
    → VMware Tools versions 13.x.x, 12.x.x, 11.x.x
  • Type: CWE-267: Privilege Defined With Unsafe Actions
  • CVE/CVSS
    → CVE-2025-41244: CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Sources

NVD - https://nvd.nist.gov/vuln/detail/CVE-2025-41244
Broadcom - https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149

Risks

This vulnerability could allow a malicious actor with low administrative privileges in a virtual machine running within a VMware Aria environment with SDMP (Service Discovery Management Pack) enabled and VMware tools installed to escalate privileges. Successful exploitation gives the attacker full control of the compromised VM and therefore a full impact on confidentiality, integrity and availability within that VM (data theft, tampering, service disruption). While this vulnerability does not, by itself, demonstrate a hypervisor escape, obtaining root in a VM substantially raises the risk of lateral movement and further compromise of other systems reachable from the VM.

NVISO observed in-the-wild use of this zero-day since October 2024 and provides a working proof-of-concept demonstrating root execution.

Description

CVE-2025-41244 is a local privilege escalation in VMware Aria Operations / VMware Tools service discovery. The vulnerability comes from overly broad regular expressions used by the service discovery/version detection logic, which can match, and cause execution of non-system binaries staged by unprivileged users. An unprivileged user can place and run a specially crafted binary (for example under /tmp) that is then invoked by the service discovery component; when the collector runs, the privileged context executes the binary’s “version” path and the PoC demonstrates this results in a root shell. Exploitation requires local access to the guest VM (no remote exploitation of the hypervisor is shown).

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

NVISO - https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/