CVE-2025-41244 (CVSS 7.8) is a local privilege escalation vulnerability in VMware Tools and VMware Aria Operations when the Service Discovery Management Pack (SDMP) is enabled. Exploitation allows a non-administrative user on a virtual machine to escalate directly to root.
Broadcom released patches on September 29, 2025, but threat intelligence teams have confirmed that UNC5174, a China-linked advanced persistent threat group, has been exploiting the flaw since October 2024. Their campaign has primarily targeted U.S. defense contractors, U.K. government agencies, NGOs, and universities.
Exploitation details
The root cause lies in a flawed regex pattern used by VMware’s service discovery function. By failing to properly restrict executable paths, the discovery tool treats attacker-controlled binaries in writable directories as legitimate services.
NVISO researchers observed exploitation chains where attackers placed a fake binary such as /tmp/httpd.
When discovery was triggered, the binary was executed with elevated privileges, spawning a root shell and allowing attackers to establish persistence. A proof-of-concept demonstrating the simplicity of this technique has already been made public.
Affected products
The vulnerability impacts multiple VMware components. Aria Operations is affected in versions prior to 8.18.5, VMware Tools before 13.0.5 and 12.5.4 (including open-vm-tools shipped with Linux distributions), and VMware Cloud Foundation Operations before 9.0.1.0.
No vendor workarounds exist, meaning patching is the only viable mitigation path.
Threat actor activity
UNC5174 has been attributed with the earliest exploitation of this flaw. The group is known for acting as an initial access broker, leveraging zero-days to gain stealthy footholds in sensitive networks before selling or handing access to other actors.
Their use of CVE-2025-41244 demonstrates a continued strategy of targeting enterprise software widely deployed in hybrid-cloud environments.
Immediate actions
Organizations should treat this as an urgent priority.
- Patch Aria Operations, VMware Tools, and Cloud Foundation Operations to the fixed versions, and update golden images, templates, and CI/CD runners.
- Audit where SDMP is enabled across the environment and disable it when not required.
- Limit opportunities for exploitation by restricting non-admin shell access on guest VMs and enforcing security policies such as noexec on /tmp.
Detection guidance
Because active exploitation has been confirmed, defenders should assume opportunistic abuse. Focus monitoring on guest VMs that run VMware Tools and Aria Operations with SDMP.
- Look for vmtoolsd or Aria discovery scripts spawning unexpected binaries from /tmp or other writable directories.
- Investigate processes named httpd or similar running from unusual paths like /tmp/httpd -v.
- Review temporary SDMP script folders such as /tmp/VMware-SDMP-Scripts-* for signs of unauthorized execution, and track any short-lived listening sockets tied to binaries outside system directories.
Why this matters
VMware Tools and Aria are deeply embedded in enterprise virtualization environments, which makes this vulnerability particularly dangerous. A simple local-to-root escalation shrinks the attacker kill chain, enabling rapid credential theft, persistence, and lateral movement from even a limited foothold.
The exploitation window has already spanned nearly a year, further increasing the risk that attackers have established long-term persistence in unpatched systems.
OP Innovate recommendations
Patch immediately, validate images to prevent reintroduction, and reduce SDMP exposure wherever possible. A lightweight detection rule for vmtoolsd spawning non-system binaries provides a quick win, but any indication of abuse should trigger full incident response to assess persistence and credential theft.
Stay Safe. Stay Secure.
OP Innovate Research Team.
