Newly patched security flaws affecting Broadcom VMware tools and VMware Aria operations have been exploited as zero days in the wild, as zero days since mid-October 2024, and since mid-October 2024, newly patched security flaws affecting Broadcom VMware tools and VMware Aria operations, according to NVISO Labs.
The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), a local privilege escalation bug affecting the following versions –
VMware Cloud Foundation 4.x and 5.x VMware Cloud Foundation 9.xxx VMware Cloud Foundation 13.xxx (Windows, Linux) VMware VSphere Foundation 9.xxx VSphere Foundation 13.XXX (Windows, Linux) VMware Aria Operations 8.X VMware Tools 11.xx, 12.xx, and 13.xx (dinc), dinx (denx), denx (dent) bmware Telco Cloud Infrastructure 2.x and 3.x
“Malicious local actors with unmanagement privileges that can access a VM using VMware Tools can enable SDMP to be installed and managed by ARIA operations. This vulnerability can be exploited to escalate the privileges of rooting the same VM.”
The fact that it is a local privilege escalation means that the enemy must ensure access to infected devices through other means.
NVISO researcher Maxime Thiebaut has been recognized for discovering and reporting shortcomings during incident response engagement on May 19, 2025. The company also states that VMware Tools 12.4.9, part of VMware Tools 12.5.4, will correct issues with Windows 32-bit systems and versions of open VM tools that address CVE-2025-41244 will be distributed by Linux vendors.
Vulnerable get_version() function
Broadcom doesn’t mention that it is being exploited in actual attacks, but NVISO Labs attributes the activity to the threat actor Google Mandiant track linked to China.
“If successful, the exploitation of local privilege escalation will result in unprivileged users to achieve code execution in privileged contexts (such as root),” says Thiebaut. “However, we cannot assess whether this exploit was part of the capabilities of UNC5174, or whether the use of zero-days was a coincidence due to its triviality.”
NVISO says the vulnerability is rooted in a function called “get_version()”, which uses a listening socket to retrieve a regular expression (regex) pattern as input for each process, checking whether the binary associated with that process matches the pattern, and if so, invokes the version command for a supported service.
“This feature works as expected with system binaries (such as /usr/bin/httpd), but also matches the extensive use of \s character classes (matching non-white characters) in some regex patterns (e.g. /tmp/httpd).” “These non-system binaries are located in directories that can be written to users who are not praised in their design (e.g. /TMP).”
As a result, this opens the door to potential abuse by staging malicious binaries in “/TMP/HTTPD”, and privilege escalation occurs when the VMware metrics collection is executed. What bad actors need to exploit the flaw is to make sure the binary is run by an unprivileged user and opens a random listening socket.
The Brussels-based cybersecurity company observed using the location “/TMP/HTTPD” to stage malicious binaries, and observed that it increased the root shell to achieve code execution. The exact nature of the payload performed using this method is unknown at this stage.
“The broad practice of mimicking system binaries (e.g. HTTPD) highlights the real possibility that several other malware stocks have mistakenly benefited from unintended escalations of privilege for years.”
Source link
