CVE-2025-41244

Published Sep 29, 2025

Last updated 2 days ago

CVSS high 7.8
VMware Tools

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-41244 is a local privilege escalation vulnerability affecting VMware Tools and VMware Aria Operations. It stems from overly broad regular expression patterns in the `get-versions.sh` component used by both VMware Tools and Aria Operations' Service Discovery Management Pack (SDMP). The `get_version()` function in this script scans for listening sockets and then executes matched binaries to retrieve version information. However, the use of the non-whitespace shorthand `\S` unintentionally includes user-writable directories such as `/tmp/httpd`. Attackers can exploit this by staging malicious binaries in these user-writable locations. The privileged VMware context then executes these binaries, leading to a local privilege escalation. By mimicking system binaries in writable paths, CVE-2025-41244 violates CWE-426: Untrusted Search Path, offering trivial local privilege escalation opportunities.

Description
VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.
Source
security@vmware.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security@vmware.com
CWE-267

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

9

  1. $AVGO Fixes exploited VMware zero-day (CVE-2025-41244) — security risks managed. Framework set, stop-loss and target marked. https://t.co/ZPcTSvCMeY https://t.co/4f1D7niSP4

    @Vugalo22

    2 Oct 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Actively exploited CVE : CVE-2025-41244

    @transilienceai

    2 Oct 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. Broadcom(VMware)で複数の脆弱性(CVE-2025-41244,41245,41246) https://t.co/IBo8bRtfWv #セキュリティ対策Lab #セキュリティ #Security

    @securityLab_jp

    2 Oct 2025

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. BroadcomがVMwareの脆弱性のゼロデイ攻撃を開示せず(CVE-2025-41244) https://t.co/7HgqTMLPgj #Security #セキュリティー #ニュース

    @SecureShield_

    2 Oct 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. VMware: Critical Vulnerability CVE-2025-41244 Being Actively Exploited https://t.co/8ekyzZsVwQ https://t.co/nqP1gPGbh2

    @ctrlaltnod

    1 Oct 2025

    5 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. A zero-day vulnerability, CVE-2025-41244 (CVSS score: 7.8), affecting Broadcom VMware Tools and VMware Aria Operations, has been exploited by the China-linked threat actor UNC5174 since mid-October 2024. https://t.co/2B0O0yUGa0

    @securityRSS

    1 Oct 2025

    64 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Broadcom just patched a zero-day VMware vulnerability (CVE-2025-41244) that’s been exploited in the wild—attackers used it to elevate privileges in VMs with VMware Tools. It’s been active for months. If your setup runs VMware Aria or has VMware Tools installed, you need to

    @TechTal3s

    1 Oct 2025

    50 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. ثغرة جديدة في نظام VMware استغلها مهاجمون مدعومون من الدولة الصينية لأكثر من عام. الثغرة CVE-2025-41244، تم الإبلاغ عنها مؤخراً، تسمح بتصعيد الصلاحيات من قبل جهات

    @Cybereayn

    1 Oct 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. 🚨 Critical #Debian 11 security update! CVE-2025-41244 in open-vm-tools allows local privilege escalation on VMware VMs. Read more: 👉 https://t.co/Rui6EVU4vy #Security https://t.co/w7FV9B1B40

    @Cezar_H_Linux

    1 Oct 2025

    58 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 🛑 VMware : la faille CVE-2025-41244 serait exploitée en tant que zero-day par UNC5174, un groupe sponsorisé par l'État chinois. 🎯 Élévation de privilèges en local. Elle affecte les VMware Tools et Aria Operations. 🧷 + d'infos: https://t.co/wRh6NklD3Y #VMware #in

    @ITConnect_fr

    1 Oct 2025

    62 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 🚨 CVE-2025-41244 in #VMware Aria is being exploited! Linked to Chinese APT #UNC5174, this flaw allows root access via SDMP. ⚠️ Patch now. Audit configs. Monitor for threats. 🔗: https://t.co/cNu5LQSvC4

    @socradar

    1 Oct 2025

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. Actively exploited CVE : CVE-2025-41244

    @transilienceai

    1 Oct 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. You name it, VMware elevates it (CVE-2025-41244) https://t.co/c10anz0DIL

    @Dinosn

    1 Oct 2025

    2024 Impressions

    1 Retweet

    11 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  14. 【ゼロデイ脆弱性/仮想化基盤への攻撃】中国国家支援型脅威グループUNC5174が、VMwareの脆弱性を2024年10月から密かに悪用していた事実が明らかになった。Broadcomが修正したCVE-2025-41244は、VMware ToolsとVMware Aria

    @nakajimeeee

    1 Oct 2025

    924 Impressions

    2 Retweets

    5 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  15. 中国系ハッカーによるVMwareゼロデイ脆弱性の悪用について(CVE-2025-41244) https://t.co/tfW89hjKwH #Security #セキュリティー #ニュース

    @SecureShield_

    1 Oct 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. VMware Zero-Day CVE-2025-41244 Actively Exploited! UNC5174 is exploiting a regex bug in VMware's get_version() since Oct 2024. 🛑 Update immediately to block this privilege escalation! #CyberSec #patchtuesday #UNC5174 https://t.co/oFU2tZWkXb

    @CyberWolfGuard

    30 Sept 2025

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. ⚠ VMware zero-day just dropped: CVE-2025-41244 lets non-admin users escalate to root via VMware Tools/Aria SDMP. Discovered in wild (UNC5174) since Oct ’24. Patch ASAP. #VMware #ZeroDay #PrivilegeEscalation #InfoSec

    @Wh1teCoon

    30 Sept 2025

    146 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. China-Linked Hackers Exploit VMware Zero-Day in Ongoing Cyber Attacks! Hackers linked to China have been exploiting a fresh VMware zero-day (CVE-2025-41244) since October 2024, elevating local privileges on compromised VMs. The Hacker News At AGT, we shield your infrastructure

    @ChbibAnas

    30 Sept 2025

    18 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  19. 🚨 New VMware Zero-Day Exploited China-linked hackers (UNC5174) are actively abusing CVE-2025-41244 — a privilege escalation flaw in VMware Tools & Aria Ops. Exploits spotted since Oct ’24. 🔒 Patch now: VMware Tools 12.4.9+ / updated open-vm-tools. ⚠️ Local acc

    @cybrhoodsentinl

    30 Sept 2025

    266 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. 🚨🚨🚨 Broadcom disclosed a local privilege escalation vulnerability, CVE-2025-41244, affecting VMware's guest service discovery features. Researchers identified zero-day exploitation in the wild starting mid-October 2024. https://t.co/ersxHmRkNQ

    @IntCyberDigest

    30 Sept 2025

    1560 Impressions

    3 Retweets

    13 Likes

    3 Bookmarks

    1 Reply

    1 Quote

  21. 🔥 𝐔𝐫𝐠𝐞𝐧𝐭: 𝐂𝐡𝐢𝐧𝐚-𝐋𝐢𝐧𝐤𝐞𝐝 𝐇𝐚𝐜𝐤𝐞𝐫𝐬 𝐄𝐱𝐩𝐥𝐨𝐢𝐭 𝐍𝐞𝐰 𝐕𝐌𝐰𝐚𝐫𝐞 𝐙𝐞𝐫𝐨-𝐃𝐚𝐲 𝐒𝐢𝐧𝐜𝐞 𝐎𝐜𝐭𝐨𝐛𝐞𝐫 𝟐𝟎𝟐𝟒 • CVE-

    @PurpleOps_io

    30 Sept 2025

    64 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. NVISO: VMware CVE-2025-41244 exploited in wild by UNC5174 (TEMP.Hex) since Oct 2024. CORTEX Analysis: Trivial local privilege escalation in VMware Tools risks stealth persistence across hybrid cloud environments. Patch immediately. #VMware #CVE #ThreatIntel https://t.co/946NzC7

    @the_c_protocol

    30 Sept 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. You name it, VMware elevates it (CVE-2025-41244) - https://t.co/juWIWLmiFo

    @piedpiper1616

    30 Sept 2025

    1564 Impressions

    9 Retweets

    28 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  24. 🚨 WARNING! VMware Zero-Day Exploit Detected! 🚨 Urgent news from the cyber world! A VMware zero-day vulnerability (CVE-2025-41244) has reportedly been exploited in the wild. The hacking group, UNC5174, has been leveraging this flaw to breach systems. According to reports, h

    @BreachInformer

    30 Sept 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. Urgente: explotan nueva vulnerabilidad Zero-Day de VMware (CVE-2025-41244) https://t.co/6cBZF7bfBp

    @SeguInfo

    30 Sept 2025

    636 Impressions

    6 Retweets

    5 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  26. You name it, VMware elevates it (CVE-2025-41244) https://t.co/AGvOj3TOje https://t.co/yaHKw8s7H8

    @secharvesterx

    30 Sept 2025

    82 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. 🔥 [New] VMware zero-day (CVE-2025-41244) exploited in the wild! UNC5174 popped root by abusing a regex bug in get_version() — drop /tmp/httpd, open a socket, and you’re root. Already active since Oct ’24. Details → https://t.co/7nqbOrE9Bq

    @TheHackersNews

    30 Sept 2025

    23348 Impressions

    93 Retweets

    243 Likes

    73 Bookmarks

    3 Replies

    5 Quotes

  28. csirt_it: #VMware: rilasciati aggiornamenti di sicurezza per sanare diverse vulnerabilità con gravità “alta”, tra cui una #0day identificata tramite CVE-2025-41244 Rischio: 🔴 Tra le tipologie: 🔸 Privilege Escalation 🔗 https://t.co/TMQZwxU67Q 🔄 Ag… https://

    @Vulcanux_

    30 Sept 2025

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. 🔥 𝐕𝐌𝐰𝐚𝐫𝐞 𝐓𝐨𝐨𝐥𝐬 𝐚𝐧𝐝 𝐀𝐫𝐢𝐚 𝟎-𝐃𝐚𝐲 𝐔𝐧𝐝𝐞𝐫 𝐀𝐜𝐭𝐢𝐯𝐞 𝐄𝐱𝐩𝐥𝐨𝐢𝐭𝐚𝐭𝐢𝐨𝐧 𝐟𝐨𝐫 𝐏𝐫𝐢𝐯𝐢𝐥𝐞𝐠𝐞 𝐄𝐬𝐜𝐚𝐥𝐚𝐭𝐢𝐨

    @PurpleOps_io

    30 Sept 2025

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. "On September 29th, 2025, Broadcom disclosed a local privilege escalation vulnerability, CVE-2025-41244, impacting VMware’s guest service discovery features. @NVISO_Labs has identified zero-day exploitation in the wild beginning mid-October 2024. The vulnerability impacts bot

    @cyb3rops

    30 Sept 2025

    16909 Impressions

    44 Retweets

    123 Likes

    45 Bookmarks

    3 Replies

    2 Quotes

  31. You name it, VMware elevates it (CVE-2025-41244) https://t.co/9bBfzsu9Ho On September 29th, 2025, Broadcom disclosed a local privilege escalation vulnerability, CVE-2025-41244, impacting VMware’s guest service discovery features. NVISO has identified zero-day exploitation in

    @f1tym1

    29 Sept 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. VMware Aria Operations & VMware Tools: CVE-2025-41244 A new local privilege escalation flaw lets attackers gain higher rights on affected systems. Patch ASAP to reduce risk. For more details, read ZeroPath's blog on this vuln. #AppSec #VMware #InfoSec https://t.co/sLRXGGVX

    @ZeroPathLabs

    29 Sept 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. You name it, VMware elevates it (CVE-2025-41244) https://t.co/dqdWLwY6KO

    @Dinosn

    29 Sept 2025

    4765 Impressions

    22 Retweets

    65 Likes

    18 Bookmarks

    0 Replies

    1 Quote

  34. On September 29th, 2025, Broadcom disclosed a local privilege escalation vulnerability, CVE-2025-41244, impacting VMware’s guest service discovery features. NVISO has identified zero-day exploitation in the wild beginning mid-October 2024. All details - https://t.co/QOjY60sLzr

    @NVISO_Labs

    29 Sept 2025

    1829 Impressions

    11 Retweets

    25 Likes

    9 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.