A newly patched high-severity VMware vulnerability has been exploited as a zero-day since October 2024 for code execution with elevated privileges, NVISO Labs stories.
Tracked as CVE-2025-41244 (CVSS rating of seven.8), the security defect impacts each VMware Aria Operations and VMware Instruments.
VMware’s mother or father firm Broadcom rolled out patches this week, warning that the flaw permits attackers to escalate their privileges to root on VMs which have VMware Instruments put in and are managed by Aria Operations with SDMP enabled, however made no point out of its in-the-wild exploitation.
The corporate’s public advisories sometimes warn clients if zero-day exploitation has been detected.
In response to NVISO, which was credited for the discover, a Chinese language state-sponsored menace actor tracked as UNC5174 has been exploiting the bug for a yr. UNC5174 was just lately linked to an assault on cybersecurity agency SentinelOne.
“We are able to nonetheless not assess whether or not this exploit was a part of UNC5174’s capabilities or whether or not the zero-day’s utilization was merely unintentional resulting from its trivialness,” NVISO notes.
The vulnerability impacts VMware Aria Operations’ service and utility discovery function, which incorporates each legacy credential-based service discovery (by which VMware Instruments acts as a proxy for the operation) and credential-less service discovery (metrics assortment applied in VMware Instruments).
“As a part of its discovery, NVISO was capable of verify the privilege escalation impacts each modes, with the logic flaw therefore being respectively positioned inside VMware Aria Operations (in credential-based mode) and the VMware Instruments (in credential-less mode),” NVISO explains.
Noting that profitable exploitation of CVE-2025-41244 permits unprivileged customers to execute code with root privileges, NVISO warns that the open supply variant of VMware Instruments, specifically open-vm-tools, which is included in main Linux distributions, can also be impacted.
Open-vm-tools’ discovery perform, NVISO says, calls a perform that takes as argument an everyday expression sample that checks it to match supported service binaries.
Nonetheless, as a result of the perform makes use of the broad‑matching S character class in a number of regex patterns, it additionally matches non-system binaries positioned in directories writable to non-privileged customers.
Thus, an attacker can abuse a weak open-vm-tools iteration by staging a malicious binary in a broadly-matched common expression path, and it will likely be elevated for model discovery.
UNC5174, NVISO notes, has been exploiting the security weak point by inserting malicious binaries within the /tmp/httpd folder. To be elevated, the binaries are executed with low privileges and open a random listening socket.
Broadcom mounted the flaw in recent releases of VMware Cloud Basis, vSphere Basis, Aria Operations, Telco Cloud Platform, and VMware Instruments, and famous that fixes for open-vm-tools shall be distributed by Linux distributors.
To detect CVE-2025-41244’s exploitation, organizations ought to search for unusual youngster processes. In environments with out monitoring, evaluation of lingering metrics collector scripts and outputs in legacy credential-based mode ought to verify the exploitation.
“The broad apply of mimicking system binaries (e.g., httpd) highlights the true chance that a number of different malware strains have by accident been benefiting from unintended privilege escalations for years,” NVISO says, noting that the bug may simply be discovered within the open-vm-tools supply code by menace actors.
