Broadcom Addresses VMware Zero-Day Vulnerability CVE-2025-41244
Broadcom Patches VMware Zero-Day Exploited by UNC5174
Broadcom has released patches for six VMware vulnerabilities, including CVE-2025-41244, which has been actively exploited in the wild by the threat actor known as UNC5174 since mid-October 2024. This local privilege escalation vulnerability affects VMware Aria Operations and VMware Tools.
Image courtesy of Security Affairs
According to Broadcom's advisory, “A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.” The maximum CVSSv3 base score for this vulnerability is 7.8 source.
The vulnerability impacts several versions of VMware products, including:
- VMware Cloud Foundation 4.x and 5.x
- VMware Cloud Foundation 9.x.x.x
- VMware Aria Operations 8.x
- VMware Tools 11.x.x, 12.x.x, and 13.x.x (Windows, Linux)
Furthermore, Broadcom has also addressed an Information disclosure vulnerability (CVE-2025-41245) and an improper authorization vulnerability (CVE-2025-41246) in VMware products. Patches for these vulnerabilities are available for Aria Ops, Tools, Cloud, and Telco.
Details of CVE-2025-41244
CVE-2025-41244 allows a malicious actor to escalate privileges to root within a VM if they can access it with non-administrative privileges. The vulnerability has been continuously exploited since its identification by NVISO Labs in mid-October 2024.
The underlying issue affects both credential-based and credential-less service discovery modes in VMware Aria Operations. The NVISO report confirms that UNC5174 triggered the local privilege escalation.
Impacted Products
- VMware Aria Operations
- VMware Tools
- VMware Cloud Foundation
- VMware Telco Cloud Platform
- VMware Telco Cloud Infrastructure
Known Attack Vectors
A local actor can exploit this vulnerability by having access to a VM with VMware Tools installed and managed by Aria Operations.
Resolution
To remediate CVE-2025-41244, users are advised to apply the patches listed in the advisory here.
Technical Analysis of the Vulnerability
The vulnerability manifests in the service discovery feature of VMware Tools, specifically through the execution of the get-versions.sh shell script. This script can be abused by unprivileged users if they can place a malicious binary in a writable directory such as /tmp.
The following excerpt outlines the logic flaw:
get_version() {
PATTERN=$1
VERSION_OPTION=$2
for p in $space_separated_pids
do
COMMAND=$(get_command_line $p | grep -Eo "$PATTERN")
[ ! -z "$COMMAND" ] && echo VERSIONSTART "$p" "$("${COMMAND%%[[:space:]]*}" $VERSION_OPTION 2>&1)" VERSIONEND
done
}
This function fails to restrict execution to only system binaries, allowing an unprivileged user to escalate their privileges by executing a malicious binary disguised as a legitimate process.
Proof of Concept
An unprivileged local attacker can create a malicious binary in a directory writable to them. For example, the following Go code demonstrates the privilege escalation:
package main
// Code omitted for brevity
Once compiled and executed, this code would allow the attacker to spawn an elevated root shell when the VMware metrics collection is executed.
Additional Vulnerabilities Addressed
Broadcom has also patched the following vulnerabilities:
- CVE-2025-41245: An information disclosure vulnerability in VMware Aria Operations with a CVSSv3 base score of 4.9.
- CVE-2025-41246: An improper authorization vulnerability in VMware Tools for Windows, rated with a CVSSv3 base score of 7.6.
For further details, refer to the Broadcom Support Portal.
