Broadcom Addresses VMware Zero-Day Vulnerability CVE-2025-41244

Broadcom VMware CVE-2025-41244 vulnerability UNC5174 patches security
Edward Zhou
Edward Zhou

CEO & Co-Founder

 
October 2, 2025 3 min read

Broadcom Patches VMware Zero-Day Exploited by UNC5174

Broadcom has released patches for six VMware vulnerabilities, including CVE-2025-41244, which has been actively exploited in the wild by the threat actor known as UNC5174 since mid-October 2024. This local privilege escalation vulnerability affects VMware Aria Operations and VMware Tools.

Chinese hackers espionage

Image courtesy of Security Affairs

According to Broadcom's advisory, “A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.” The maximum CVSSv3 base score for this vulnerability is 7.8 source.

The vulnerability impacts several versions of VMware products, including:

  • VMware Cloud Foundation 4.x and 5.x
  • VMware Cloud Foundation 9.x.x.x
  • VMware Aria Operations 8.x
  • VMware Tools 11.x.x, 12.x.x, and 13.x.x (Windows, Linux)

Furthermore, Broadcom has also addressed an Information disclosure vulnerability (CVE-2025-41245) and an improper authorization vulnerability (CVE-2025-41246) in VMware products. Patches for these vulnerabilities are available for Aria Ops, Tools, Cloud, and Telco.

Details of CVE-2025-41244

CVE-2025-41244 allows a malicious actor to escalate privileges to root within a VM if they can access it with non-administrative privileges. The vulnerability has been continuously exploited since its identification by NVISO Labs in mid-October 2024.

The underlying issue affects both credential-based and credential-less service discovery modes in VMware Aria Operations. The NVISO report confirms that UNC5174 triggered the local privilege escalation.

Impacted Products

  • VMware Aria Operations
  • VMware Tools
  • VMware Cloud Foundation
  • VMware Telco Cloud Platform
  • VMware Telco Cloud Infrastructure

Known Attack Vectors

A local actor can exploit this vulnerability by having access to a VM with VMware Tools installed and managed by Aria Operations.

Resolution

To remediate CVE-2025-41244, users are advised to apply the patches listed in the advisory here.

Technical Analysis of the Vulnerability

The vulnerability manifests in the service discovery feature of VMware Tools, specifically through the execution of the get-versions.sh shell script. This script can be abused by unprivileged users if they can place a malicious binary in a writable directory such as /tmp.

The following excerpt outlines the logic flaw:

get_version() {
  PATTERN=$1
  VERSION_OPTION=$2
  for p in $space_separated_pids
  do
    COMMAND=$(get_command_line $p | grep -Eo "$PATTERN")
    [ ! -z "$COMMAND" ] && echo VERSIONSTART "$p" "$("${COMMAND%%[[:space:]]*}" $VERSION_OPTION 2>&1)" VERSIONEND
  done
}

This function fails to restrict execution to only system binaries, allowing an unprivileged user to escalate their privileges by executing a malicious binary disguised as a legitimate process.

Proof of Concept

An unprivileged local attacker can create a malicious binary in a directory writable to them. For example, the following Go code demonstrates the privilege escalation:

package main
// Code omitted for brevity

Once compiled and executed, this code would allow the attacker to spawn an elevated root shell when the VMware metrics collection is executed.

Additional Vulnerabilities Addressed

Broadcom has also patched the following vulnerabilities:

  • CVE-2025-41245: An information disclosure vulnerability in VMware Aria Operations with a CVSSv3 base score of 4.9.
  • CVE-2025-41246: An improper authorization vulnerability in VMware Tools for Windows, rated with a CVSSv3 base score of 7.6.

For further details, refer to the Broadcom Support Portal.

References for Further Reading

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview
OpenSSL vulnerability

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview

Urgent: OpenSSL 3.x vulnerable to CVE-2025-15467, enabling pre-auth RCE. Learn affected versions, impact, and immediate mitigation steps. Protect your systems now!

By Divyansh Ingle March 10, 2026 4 min read
common.read_full_article
SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now
SolarWinds Web Help Desk

SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now

Critical RCE & Auth Bypass flaws in SolarWinds Web Help Desk are fixed! Don't risk it. Update to v2026.1 now to protect your systems. Learn more.

By Edward Zhou March 9, 2026 4 min read
common.read_full_article
AI vs Human Hackers: Who Prevails in 2026 Pen Testing?
AI hacking

AI vs Human Hackers: Who Prevails in 2026 Pen Testing?

Discover the results of a groundbreaking study comparing AI agents and human hackers in web vulnerability exploitation. See who prevails and what it means for your security. Read now!

By Jim Gagnard March 6, 2026 6 min read
common.read_full_article
Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends
vulnerability exploits

Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends

Exploits are now the top intrusion method, outpacing phishing. Discover why rapid vulnerability patching is critical and how to bolster your defenses. Read more!

By Edward Zhou March 4, 2026 4 min read
common.read_full_article