A newly patched security flaw impacting Broadcom VMware Tools and VMware Aria Operations has been exploited in the wild as a zero-day since mid-October 2024 by a threat actor called UNC5174, according to NVISO Labs.
The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), a local privilege escalation bug affecting the following versions –
- VMware Cloud Foundation 4.x and 5.x
- VMware Cloud Foundation 9.x.x.x
- VMware Cloud Foundation 13.x.x.x (Windows, Linux)
- VMware vSphere Foundation 9.x.x.x
- VMware vSphere Foundation 13.x.x.x (Windows, Linux)
- VMware Aria Operations 8.x
- VMware Tools 11.x.x, 12.x.x, and 13.x.x (Windows, Linux)
- VMware Telco Cloud Platform 4.x and 5.x
- VMware Telco Cloud Infrastructure 2.x and 3.x
“A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM,” VMware said in an advisory released Monday.
The fact that it’s a local privilege escalation means that the adversary will have to secure access to the infected device through some other means.
NVISO researcher Maxime Thiebaut has been credited for discovering and reporting the shortcoming on May 19, 2025, during an incident response engagement. The company also said VMware Tools 12.4.9, which is part of VMware Tools 12.5.4, remediates the issue for Windows 32-bit systems, and that a version of open-vm-tools that addresses CVE-2025-41244 will be distributed by Linux vendors.
 |
| The vulnerable get_version() function |
While Broadcom makes no mention of it being exploited in real-world attacks, NVISO Labs attributed the activity to a China-linked threat actor Google Mandiant tracks as UNC5174 (aka Uteus or Uetus), which has a track record of exploiting various security flaws, including those impacting Ivanti and SAP NetWeaver, to obtain initial access to target environments.
“When successful, exploitation of the local privilege escalation results in unprivileged users achieving code execution in privileged contexts (e.g., root),” Thiebaut said. “We can however not assess whether this exploit was part of UNC5174’s capabilities or whether the zero-day’s usage was merely accidental due to its trivialness.”
NVISO said the vulnerability is rooted in a function called “get_version()” that takes a regular expression (regex) pattern as input for each process with a listening socket, checks whether the binary associated with that process matches the pattern, and, if so, invokes the supported service’s version command.
“While this functionality works as expected for system binaries (e.g., /usr/bin/httpd), the usage of the broad‑matching S character class (matching non‑whitespace characters) in several of the regex patterns also matches non-system binaries (e.g., /tmp/httpd),” Thiebaut explained. “These non-system binaries are located within directories (e.g., /tmp) which are writable to unprivileged users by design.”
As a result, this opens the door to potential abuse by an unprivileged local attacker by staging the malicious binary at “/tmp/httpd,” resulting in privilege escalation when the VMware metrics collection is executed. All a bad actor requires to abuse the flaw is to ensure that the binary is run by an unprivileged user and it opens a random listening socket.
The Brussels-based cybersecurity company noted that it observed UNC5174 using the “/tmp/httpd” location to stage the malicious binary and spawn an elevated root shell and achieve code execution. The exact nature of the payload executed using this method is unclear at this stage.
“The broad practice of mimicking system binaries (e.g., httpd) highlights the real possibility that several other malware strains have accidentally been benefiting from unintended privilege escalations for years,” Thiebaut said.
About The Author
Original post here
