A newly patched high-severity VMware vulnerability has been exploited as a zero-day since October 2024 for code execution with elevated privileges, NVISO Labs reports.
Tracked as CVE-2025-41244 (CVSS score of 7.8), the security defect impacts both VMware Aria Operations and VMware Tools.
VMware’s parent company Broadcom rolled out patches this week, warning that the flaw allows attackers to escalate their privileges to root on VMs that have VMware Tools installed and are managed by Aria Operations with SDMP enabled, but made no mention of its in-the-wild exploitation.
The company’s public advisories typically warn customers if zero-day exploitation has been detected.
According to NVISO, which was credited for the find, a Chinese state-sponsored threat actor tracked as UNC5174 has been exploiting the bug for a year. UNC5174 was recently linked to an attack on cybersecurity firm SentinelOne.
“We can however not assess whether this exploit was part of UNC5174’s capabilities or whether the zero-day’s usage was merely accidental due to its trivialness,” NVISO notes.
The vulnerability impacts VMware Aria Operations’ service and application discovery feature, which includes both legacy credential-based service discovery (in which VMware Tools acts as a proxy for the operation) and credential-less service discovery (metrics collection implemented in VMware Tools).
“As part of its discovery, NVISO was able to confirm the privilege escalation affects both modes, with the logic flaw hence being respectively located within VMware Aria Operations (in credential-based mode) and the VMware Tools (in credential-less mode),” NVISO explains.
Noting that successful exploitation of CVE-2025-41244 allows unprivileged users to execute code with root privileges, NVISO warns that the open source variant of VMware Tools, namely open-vm-tools, which is included in major Linux distributions, is also impacted.
Open-vm-tools’ discovery function, NVISO says, calls a function that takes as argument a regular expression pattern that checks it to match supported service binaries.
However, because the function uses the broad‑matching S character class in several regex patterns, it also matches non-system binaries located in directories writable to non-privileged users.
Thus, an attacker can abuse a vulnerable open-vm-tools iteration by staging a malicious binary in a broadly-matched regular expression path, and it will be elevated for version discovery.
UNC5174, NVISO notes, has been exploiting the security weakness by placing malicious binaries in the /tmp/httpd folder. To be elevated, the binaries are executed with low privileges and open a random listening socket.
Broadcom fixed the flaw in fresh releases of VMware Cloud Foundation, vSphere Foundation, Aria Operations, Telco Cloud Platform, and VMware Tools, and noted that fixes for open-vm-tools will be distributed by Linux vendors.
To detect CVE-2025-41244’s exploitation, organizations should look for uncommon child processes. In environments without monitoring, analysis of lingering metrics collector scripts and outputs in legacy credential-based mode should confirm the exploitation.
“The broad practice of mimicking system binaries (e.g., httpd) highlights the real possibility that several other malware strains have accidentally been benefiting from unintended privilege escalations for years,” NVISO says, noting that the bug could easily be found in the open-vm-tools source code by threat actors.
Related: Call for Presentations Open for 2025 CISO Forum Virtual Summit
Related: Google Patches Gemini AI Hacks Involving Poisoned Logs, Search Results
Related: Apple Updates iOS and macOS to Prevent Malicious Font Attacks
Related: Organizations Warned of Exploited Sudo Vulnerability
Source: securityweek.com
