A zero-day local privilege escalation vulnerability in VMware Tools and VMware Aria Operations is being actively exploited in the wild. The flaw, tracked as CVE-2025-41244<\/a>, allows an unprivileged local attacker to gain root-level code execution on affected systems.<\/p>\n On September 29, 2025, Broadcom disclosed the vulnerability, which exists within VMware\u2019s guest service discovery features. However, security firm NVISO reported identifying zero-day exploitation of this flaw dating back to mid-October 2024 during incident response engagements.<\/p>\n The vulnerability impacts both VMware Tools and VMware Aria Operations, key components used for managing virtualized environments. Successful exploitation allows a user with low privileges to execute arbitrary code within a privileged context, such as the root user on Linux systems.<\/p>\n The flaw affects two distinct service discovery modes:<\/p>\n NVISO researchers confirmed the flaw exists in the open-source variant of VMware Tools, The root cause of CVE-2025-41244 is an Untrusted Search Path weakness (CWE-426) in the The script uses overly broad regular expressions to locate service binaries. For example, a pattern like An attacker can exploit this by placing a malicious executable at a path like The flawed script will find and execute the attacker\u2019s malicious binary with the NVISO has attributed<\/a> the in-the-wild exploitation to UNC5174, a threat actor believed to be sponsored by the Chinese state. This group has a history of leveraging public exploits for initial access operations.<\/p>\n However, researchers noted that due to the trivial nature of the exploit and the common threat actor practice of naming malware after system binaries (e.g., Organizations can detect exploitation by monitoring for unusual child processes spawned by Broadcom has released patches<\/a> and published a security advisory to address CVE-2025-41244, and users are urged to apply the updates immediately.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post VMware Tools and Aria 0-Day Vulnerability Exploited for Privilege Escalation and Code Execution<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\n
open-vm-tools<\/code>, which is distributed with most major Linux distributions.<\/p>\n0-Day Vulnerability Exploitation<\/strong><\/h2>\n
get-versions.sh<\/code> script, which is responsible for identifying the versions of services running on a virtual machine.<\/p>\n\/S+\/httpd<\/code> is designed to find the Apache web server binary, but will also match a file named httpd<\/code> located in a user-writable directory like \/tmp<\/code>.<\/p>\n\/tmp\/httpd<\/code>. They then run this malicious process and have it open a listening socket. When the VMware service discovery process runs (typically every five minutes), it scans for running services.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgOH2hQpfWJOxwdQPmhPh3pn7qlbdnJ5s2oAzZBdlO6tt-tiOhttIvGqkYc6N1_TyBgZ5wKPxmvjEQ9-ujtEZNHjQGWWVLGSwV94vdqw1XBmnIIezBFs1XgHMwvYzJ9bXQb0zVQ5owD9UY5wNQLiopQIHhdZVsUPFF9caa0uQ_0wuUpF4GKe1NxCf_2cwPv\/s16000\/5%2520mins.webp?ssl=1\")
<\/figure>\n-v<\/code> flag to get its version, but it does so with the elevated privileges of the VMware Tools service. This provides the attacker with a root shell, granting them full control over the system.<\/p>\nhttpd<\/code>), it is unclear if UNC5174 exploited the flaw intentionally or accidentally. It is possible that other malware has been unintentionally benefiting from this privilege escalation for years.<\/p>\nvmtoolsd<\/code> or the get-versions.sh<\/code> script. In credential-based mode, forensic evidence<\/a> may be found in lingering script files located in \/tmp\/VMware-SDMP-Scripts-{UUID}\/<\/code> directories.<\/p>\n