Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Local Privilege Escalation in VMware Aria Operations and VMware Tools Service Discovery

IdentifiersCVE-2025-41244CWE-426

CVE-2025-41244 is a local privilege escalation vulnerability affecting VMware Aria Operations, VMware Tools, and open-vm-tools in Linux guest virtual machines. The issue is exposed when a VM has VMware Tools installed, is managed by VMware Aria Operations, and the Service Discovery Management Pack (SDMP) feature is enabled. Technical reporting in the provided content indicates the flaw is in the service discovery/version collection logic, including the get-versions.sh script in open-vm-tools, which uses overly broad regular-expression matching to identify service binaries and then executes matched binaries with version arguments in a privileged context. Because the matching can include attacker-controlled paths such as writable locations under /tmp, a local unprivileged user can place and run a malicious binary with a listening socket so that VMware service discovery later identifies and executes it as root or another privileged service account. The weakness is best characterized as an untrusted search path issue.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local non-administrative attacker on the guest VM to escalate privileges to root on the same VM, or to the privileged account configured for credential-based discovery. Root-level compromise can enable full control of the guest, including disabling security controls, accessing sensitive data and credentials, establishing persistence, deploying additional malware, and using the VM as a staging point for further post-compromise activity. The content also notes in-the-wild zero-day exploitation since at least mid-October 2024, including use by the China-linked threat actor UNC5174.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling SDMP/service discovery where operationally feasible, limiting local shell access to guest VMs, and restricting unprivileged users from staging or executing binaries in writable paths that may be inspected by service discovery. Monitor for unusual privileged child processes spawned by vmtoolsd or service discovery scripts, and inspect for artifacts such as temporary VMware SDMP script directories under /tmp/VMware-SDMP-Scripts-{UUID}/ in credential-based mode. These are compensating controls only; the content indicates patching is the primary corrective action.

Remediation

Patch, then assume compromise.

Apply Broadcom's fixes referenced in advisory VMSA-2025-0015. The provided content states affected products include VMware Aria Operations prior to 8.18.5, VMware Tools prior to 13.0.5.0 and 12.5.4, and VMware Cloud Foundation Operations prior to 9.0.1.0. For environments using open-vm-tools from Linux distributions, install the vendor-supplied updated packages from the relevant distribution. Validate that all managed guest VMs and Aria Operations components are updated, especially systems using SDMP/service discovery.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 2 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 2 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
BroadcomAria Operationsapplication
BroadcomCloud Foundationapplication
BroadcomCloud Foundation Operationsapplication
BroadcomOpen Vm Toolsapplication
BroadcomTelco Cloud Infrastructureapplication
BroadcomTelco Cloud Platformapplication
BroadcomToolsapplication
DebianDebian Linuxoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

146 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

146 SOURCESView more in app
dark readingNews
Mar 4, 2026
VMware Aria Operations Bug Exploited, Cloud Resources at Risk

A critical privilege escalation vulnerability affecting VMware Aria Operations and VMware Tools, reported as exploited for an extended period.

Read more
scworldNews
Feb 6, 2026
CISA: Ransomware intrusions exploiting VMware ESXi bug ongoing | SC Media

A high-severity vulnerability affecting VMware Aria Operations and VMware Tools that CISA has tagged as actively exploited.

Read more
bleeping computerNews
Feb 4, 2026
CISA: VMware ESXi flaw now exploited in ransomware attacks

A high-severity vulnerability affecting VMware Aria Operations and VMware Tools, reported as exploited in zero-day attacks attributed to Chinese hackers.

Read more
bleeping computerNews
Jan 26, 2026
CISA says critical VMware RCE flaw now actively exploited

A high-severity vulnerability in VMware Aria Operations and VMware Tools that was exploited as a zero-day by Chinese hackers.

Read more
+15 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence5

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity126

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-41244
NVD
nvd.nist.gov/vuln/detail/CVE-2025-41244
MITRE CWE · CWE-426
cwe.mitre.org
Vendor Advisory
support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149
Third Party Advisory
openwall.com/lists/oss-security/2025/09/29/10
Third Party Advisory
blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244
Third Party Advisory
lists.debian.org/debian-lts-announce/2025/10/msg00000.html
Permissions Required
support.broadcom.com/group/ecx/support-content-view/-/support-content/Security%20Advisories/VMSA-2025-0015--VMware-Aria-Operations-and-VMware-Tools-updates-address-multiple-vulnerabilities--CVE-2025-41244-CVE-2025-41245--CVE-2025-41246-/36149
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-41244