VMware CVE-2025-41244 Exploited: What You Need to Know About the Latest Flaws

[Update] VMware Aria Operations & Tools Vulnerability (CVE-2025-41244) Added to CISA KEV

Cybersecurity researchers have reported active exploitation of a severe VMware vulnerability, CVE-2025-41244, that allows attackers to gain root-level access on virtual machines. The flaw, linked to Chinese state-sponsored hackers, has been stealthily leveraged since late 2024.

In addition to this zero-day, Broadcom recently patched several other high-impact vulnerabilities across VMware products, making this an urgent moment for security teams to reassess their risk exposure.

What is CVE-2025-41244?

The most pressing concern is CVE-2025-41244 (CVSS 7.8), a local privilege escalation vulnerability impacting both VMware Aria Operations and VMware Tools.

According to Broadcom’s official advisory, the flaw allows a non-administrative user on a virtual machine to escalate privileges to root if Service Discovery Management Pack (SDMP) is enabled.

NVISO researchers revealed that CVE-2025-41244 had been actively used by the Chinese state-backed threat actor UNC5174 since mid-October 2024. The group exploited a predictable directory path (/tmp/httpd) to insert malicious binaries that were later executed by VMware’s service discovery mechanism.

How Does CVE-2025-41244 Work? Is There a PoC Available?

The vulnerability stems from the misuse of regex in get_version(), a helper function used during service discovery. By matching any non-whitespace character (using S+), the tool inadvertently accepts binaries from any directory, including insecure paths like /tmp. Researchers have published a Proof-of-Concept (PoC) for CVE-2025-41244 that demonstrates how trivial the attack is to perform.

The exploit unfolds as follows:

1. Malicious binary placement: Attacker places a custom binary (e.g., /tmp/httpd) on the system.
2. Trigger discovery: The binary is executed and opens a listening port to mimic a legitimate service.
3. Automatic execution: The VMware collector detects the process, matches it via regex, and runs the binary with elevated privileges using a version flag (e.g., -v).
4. Root shell spawned: The binary connects back via IPC, giving the attacker a root shell.

What Are the Affected Systems? The Risk Context

The vulnerability applies to both credential-based and credential-less service discovery modes:

• In credentialed mode, Aria Operations uses supplied admin credentials to run scripts inside VMs.
• In credential-less mode, VMware Tools performs discovery directly, under its own privileged context.

Open-source variants like open-vm-tools are also affected, making Linux-based systems particularly exposed.

Organizations running hybrid-cloud infrastructures with Aria Suite, especially with Service Discovery Management Pack (SDMP) enabled, should assess their exposure.

Is There a Threat Actor Attribution?

The campaign exploiting CVE-2025-41244 has been attributed to UNC5174, a sophisticated Chinese Advanced Persistent Threat (APT) group.

UNC5174 Behind the Exploitation of VMware CVE-2025-41244

Operating as an initial access broker, the UNC5174 group specializes in exploiting critical vulnerabilities in enterprise software to gain unauthorized entry into high-value environments.

UNC5174 primarily targets U.S. defense contractors, U.K. government agencies, NGOs, and academic institutions. Its operations typically involve a blend of custom malware and open-source remote access tools designed to maintain stealth and persistence.

Their known exploits include earlier attacks leveraging vulnerabilities in F5 BIG-IP and ConnectWise ScreenConnect. In this case, NVISO’s incident response efforts confirmed that UNC5174 was behind the early exploitation of the VMware bug, even though it remains unclear whether they discovered it themselves or found it through opportunistic scanning.

Their exploitation of CVE-2025-41244 reflects a continuing pattern of leveraging zero-day vulnerabilities for covert intrusions into sensitive infrastructures.

What Are the Key Indicators of Compromise for CVE-2025-41244 Exploitation?

Security teams can use the following indicators to detect potential exploitation of CVE-2025-41244:

• Unusual binary execution paths: Look for binaries such as /tmp/httpd or any non-standard executable running under root privileges, especially those located in writable directories like /tmp.
• Unexpected child processes: Monitor for child processes spawned by vmtoolsd or Aria Operations collector scripts that should not invoke non-system binaries.
• Presence of SDMP artifacts: Check for temporary folders like /tmp/VMware-SDMP-Scripts-{UUID}/ which may include logs or script traces referencing unauthorized binaries (e.g., /tmp/httpd -v).
• IPC and listening sockets: Identify processes opened by non-admin users that establish listening sockets, which may be used for IPC-based privilege escalations.
• PoC activity resemblance: Detect binaries that mimic behaviors from the NVISO PoC, such as dual-mode execution or IPC communications to spawn shells.

Any of these indicators may suggest that a local privilege escalation attempt has occurred and should prompt a full incident response.

VMware Aria Operations & Tools Vulnerability (CVE-2025-41244) Added to CISA KEV

CISA has added CVE-2025-41244 to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation.

All VMware users are urged to apply the latest updates immediately to prevent potential compromise. Federal agencies must patch all affected systems by November 20, 2025, as required under Binding Operational Directive (BOD) 22-01.

Other Important Vulnerabilities Patched in VMware Aria Operations, Tools, NSX, and vCenter

Broadcom’s official security advisory for CVE-2025-41244 also lists:

• CVE-2025-41245 (CVSS 4.9): An information disclosure vulnerability in Aria Operations.
• CVE-2025-41246 (CVSS 7.6): An improper authorization issue in VMware Tools that could allow privilege misuse in specific contexts.

Separately, a different advisory covered high-severity flaws in VMware NSX and vCenter:

• CVE-2025-41250 (CVSS 8.5): An SMTP header injection vulnerability in VMware vCenter, which can be exploited by attackers with task creation rights to manipulate notification emails.
• CVE-2025-41251 (CVSS 8.1) & CVE-2025-41252 (CVSS 7.5): Two username enumeration vulnerabilities in VMware NSX, discovered by the NSA, which allow unauthenticated actors to identify valid usernames, setting the stage for brute-force or targeted attacks.

Why Are These Flaws Particularly Dangerous?

The implications of CVE-2025-41244 and other recent VMware vulnerabilities extend across hybrid-cloud and enterprise environments:

• VMware Aria Suite is commonly used for workload management and remediation, making it a high-value target.
• VMware Tools is embedded in most VM environments, and its open-source version (open-vm-tools) ships with major Linux distributions.
• The ability to escalate to root from a non-privileged VM user puts all dependent workloads at immediate risk.
• The additional flaws in vCenter and NSX extend this attack surface across authentication, email systems, and network virtualization layers.

What Should You Do to Mitigate VMware Threats?

• Apply the latest security patches as published in Broadcom’s CVE-2025-41244 advisory and the advisory covering CVE-2025-41250, CVE-2025-41251, and CVE-2025-41252.
• Check for indicators of compromise (IoCs) associated with UNC5174 operations. Consider reviewing NVISO’s technical post for insights into exploitation patterns.
• Audit VM configurations to verify whether SDMP is enabled and determine which service discovery mode (credentialed or credential-less) is active.
• Restrict non-admin user capabilities on VMs where possible, and monitor for unexpected process activity and listening sockets in temporary directories.
• Security teams should also revalidate their exposure to VMware NSX and vCenter components, especially if these systems are internet-facing or allow unauthenticated interaction.

Strengthen Your Defenses with SOCRadar’s CTI and ASM Capabilities

With zero-day exploitation tied to sophisticated threat actors like UNC5174, visibility into emerging threats and your own attack surface is critical.

SOCRadar’s Cyber Threat Intelligence (CTI) module empowers your team with real-time intelligence on vulnerabilities like CVE-2025-41244, mapping exploitation timelines, impacted assets, and adversary TTPs. Stay informed with curated profiles of APT groups, including UNC5174, and receive early warnings about active exploitation campaigns.

Meanwhile, the Attack Surface Management (ASM) module gives you continuous insight into your external-facing assets, helping you detect exposed instances, weak configurations, and other risks before attackers do.