A critical privilege escalation vulnerability in VMware products was exploited in the wild for nearly a year before being patched, security researchers have revealed.
Broadcom disclosed CVE-2025-41244 on Monday, but cybersecurity firm NVISO identified active exploitation dating back to mid-October 2024. The vulnerability, affecting VMware Tools and VMware Aria Operations, allows unprivileged users to escalate privileges to root access on virtual machines—a critical compromise in enterprise environments.
NVISO attributed the exploitation to UNC5174, a Chinese state-sponsored threat actor known for leveraging publicly disclosed vulnerabilities for initial access operations. However, researchers noted the vulnerability's "trivialness" makes it unclear whether the attackers deliberately exploited it or accidentally benefited from its presence.
The flaw resides in VMware's Service Discovery Management Pack (SDMP), which identifies running services within virtual machines. When discovering service versions, the system executes binaries matching broad regular expressions—including those in user-writable directories like /tmp.
"As simple as it sounds, you name it, VMware elevates it," NVISO researchers explained. Attackers simply place malicious binaries (such as /tmp/httpd) that mimic legitimate system services, then wait for VMware's automated metrics collection to execute them with root privileges—a process that runs every five minutes.
Maxime Thiebaut from NVISO, who discovered and reported the vulnerability, developed a proof-of-concept demonstrating how attackers gain root shells within minutes of staging malicious binaries.
The vulnerability affects VMware Cloud Foundation, VMware Aria Operations versions 8.x and earlier, and VMware Tools versions 13.x, 12.x, and 11.x across Windows and Linux systems. With CVSS scores ranging from 7.6 to 7.8, Broadcom rates the severity as "Important."
Organizations should immediately update to VMware Tools 13.0.5 or 12.5.4, and Aria Operations 8.18.5. Security teams can detect exploitation by monitoring for unusual child processes spawned by VMware services, particularly binaries executed from temporary directories.