A newly patched security flaw impacting Broadcom VMware Instruments and VMware Aria Operations has been exploited within the wild as a zero-day since mid-October 2024 by a risk actor known as UNC5174, in accordance with NVISO Labs.
The vulnerability in query is CVE-2025-41244 (CVSS rating: 7.8), an area privilege escalation bug affecting the next variations –
- VMware Cloud Basis 4.x and 5.x
- VMware Cloud Basis 9.x.x.x
- VMware Cloud Basis 13.x.x.x (Home windows, Linux)
- VMware vSphere Basis 9.x.x.x
- VMware vSphere Basis 13.x.x.x (Home windows, Linux)
- VMware Aria Operations 8.x
- VMware Instruments 11.x.x, 12.x.x, and 13.x.x (Home windows, Linux)
- VMware Telco Cloud Platform 4.x and 5.x
- VMware Telco Cloud Infrastructure 2.x and three.x
“A malicious native actor with non-administrative privileges gaining access to a VM with VMware Instruments put in and managed by Aria Operations with SDMP enabled could exploit this vulnerability to escalate privileges to root on the identical VM,” VMware mentioned in an advisory launched Monday.
The truth that it is a native privilege escalation signifies that the adversary must safe entry to the contaminated machine via another means.
NVISO researcher Maxime Thiebaut has been credited for locating and reporting the shortcoming on Might 19, 2025, throughout an incident response engagement. The corporate additionally mentioned VMware Instruments 12.4.9, which is a part of VMware Instruments 12.5.4, remediates the problem for Home windows 32-bit programs, and {that a} model of open-vm-tools that addresses CVE-2025-41244 might be distributed by Linux distributors.
 |
| The weak get_version() operate |
Whereas Broadcom makes no point out of it being exploited in real-world assaults, NVISO Labs attributed the exercise to a China-linked risk actor Google Mandiant tracks as UNC5174 (aka Uteus or Uetus), which has a monitor document of exploiting numerous security flaws, together with these impacting Ivanti and SAP NetWeaver, to acquire preliminary entry to focus on environments.
“When profitable, exploitation of the native privilege escalation ends in unprivileged customers attaining code execution in privileged contexts (e.g., root),” Thiebaut mentioned. “We are able to nonetheless not assess whether or not this exploit was a part of UNC5174’s capabilities or whether or not the zero-day’s utilization was merely unintentional because of its trivialness.”
NVISO mentioned the vulnerability is rooted in a operate known as “get_version()” that takes an everyday expression (regex) sample as enter for every course of with a listening socket, checks whether or not the binary related to that course of matches the sample, and, in that case, invokes the supported service’s model command.
“Whereas this performance works as anticipated for system binaries (e.g., /usr/bin/httpd), the utilization of the broad‑matching S character class (matching non‑whitespace characters) in a number of of the regex patterns additionally matches non-system binaries (e.g., /tmp/httpd),” Thiebaut defined. “These non-system binaries are situated inside directories (e.g., /tmp) that are writable to unprivileged customers by design.”
In consequence, this opens the door to potential abuse by an unprivileged native attacker by staging the malicious binary at “/tmp/httpd,” leading to privilege escalation when the VMware metrics assortment is executed. All a foul actor requires to abuse the flaw is to make sure that the binary is run by an unprivileged person and it opens a random listening socket.
The Brussels-based cybersecurity firm famous that it noticed UNC5174 utilizing the “/tmp/httpd” location to stage the malicious binary and spawn an elevated root shell and obtain code execution. The precise nature of the payload executed utilizing this methodology is unclear at this stage.
“The broad observe of mimicking system binaries (e.g., httpd) highlights the true chance that a number of different malware strains have by chance been benefiting from unintended privilege escalations for years,” Thiebaut mentioned.
