Hackers exploit VMware Zero-Day for privilege escalation since October 2024

Broadcom has patched a local privilege escalation vulnerability affecting VMware Aria Operations and VMware Tools that enables unprivileged local users to achieve root-level code execution on virtual machines without authentication and has been actively exploited in the wild since mid-October 2024. 

Organizations relying on VMware hypervisors commonly deploy the VMware Aria Suite to manage their hybrid-cloud workloads from a centralized console. VMware Aria Operations is the performance monitoring and capacity planning component. A key feature of VMware Aria Operations is its Service Discovery Management Pack (SDMP), which identifies and catalogs services and applications running in guest virtual machines.

The vulnerability, tracked as CVE-2025-41244 (CVSS score 7.8). The root cause of CVE-2025-41244 in the get-versions.sh shell script, a component within open-vm-tools' service discovery feature responsible for identifying service versions. The script contains a generic get_version function that accepts two arguments: a regular expression pattern to match supported service binaries (such as /usr/bin/apache) and a version command (such as -v) indicating how the matched binary should be invoked to retrieve its version information.

During execution, the get_version function iterates through a list of all processes with listening sockets, checking whether each process's binary path matches the provided regular expression pattern. When a match is found, the function invokes that binary with the specified version command. The flaw is caused by the use of overly broad regular expression patterns employing the \S character class, which matches any non-whitespace character. These patterns match not only legitimate system binaries located in protected directories like /usr/bin but also user-created binaries in world-writable directories such as /tmp.

The vulnerable regular expression patterns include calls such as get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)(∣\s)"−vandgetversion"/§+/mysqld(|\s)" -v and get_version "/\S+/mysqld( ∣\s)"−vandgetv​ersion"/§+/mysqld(|\s)" -V, among others. These patterns can match malicious binaries placed by unprivileged users in locations like /tmp/httpd or /tmp/mysqld. 

Security researchers from NVISO identified the zero-day exploitation during incident response engagements and linked the attacks with high confidence to UNC5174, a Chinese state-sponsored threat actor affiliated with China's Ministry of State Security (MSS). This group has a documented history of exploiting public vulnerabilities for initial access operations, including targeting F5 BIG-IP, ConnectWise ScreenConnect, and SAP NetWeaver systems.

The vulnerability impacts multiple versions of VMware products:

• VMware Tools: Versions prior to 12.5.4 are affected. Organizations should upgrade to VMware Tools 12.5.4 or later, which includes version 12.4.9 for Windows 32-bit systems.
• VMware Aria Operations: Versions prior to 8.18.5 are vulnerable. The patched version 8.18.5 addresses CVE-2025-41244 along with two additional vulnerabilities (CVE-2025-41245 and CVE-2025-41246).
• Open-VM-Tools: Linux distributions will receive patched versions through their respective vendor channels, as this open-source component is maintained and distributed by individual Linux vendors.
• VMware Cloud Foundation and vSphere Foundation: Organizations running version 9.0.1.0 should ensure they deploy VMware Tools 13.0.5.0, which includes the security fix.

Organizations can detect successful exploitation of CVE-2025-41244 through monitoring for anomalous child processes originating from VMware Tools or Aria Operations service discovery components. Security teams should configure alerts for unexpected process chains where vmtoolsd or the get-versions.sh script spawn child processes from non-standard paths such as /tmp or other world-writable directories. As this is a local privilege escalation vulnerability, its exploitation indicates that adversaries have already gained initial access to affected systems, suggesting that multiple detection mechanisms should have triggered earlier in the attack chain.

Organizations running affected VMware environments should immediately prioritize patching to eliminate the CVE-2025-41244 vulnerability. Broadcom released security updates on September 29, 2025, through security advisory VMSA-2025-0015.