VMware recently announced a serious zero-day vulnerability, CVE-2025-41244, that has been under active exploitation since at least the middle of October of 2024. This local privilege escalation bug has a CVSS score of 7.8. This high score underscores both its severity and the potential for widespread impact on systems that are affected. Multiple iterations of VMware’s Cloud Foundation, vSphere Foundation, Aria Operations, and VMware Tools are affected by a critical CVE vulnerability. This exploit has the potential to allow non-privileged users to obtain heightened access to system resources.
The recently identified threat actor, dubbed UNC5174, placed a malicious binary in the temporary “/tmp/httpd” staging directory. This ingenious ruse made it possible for them to wrench the vulnerability just right. This technique underlying this vulnerability allowed the attacker to create an elevated root shell, providing them privileged access to system features.
Affected Products
CVE-2025-41244 affects multiple VMware products, which alarms users and administrators using these tools. Specifically, the following versions are affected:
- VMware Cloud Foundation 4.x, 5.x, and 9.x.x.x
- VMware Cloud Foundation 13.x.x.x for both Windows and Linux
- VMware vSphere Foundation 9.x.x.x and 13.x.x.x for Windows and Linux
- VMware Aria Operations 8.x
- VMware Tools versions 11.x.x, 12.x.x, and 13.x.x for Windows and Linux
- VMware Telco Cloud Platform 4.x and 5.x
- VMware Telco Cloud Infrastructure 2.x and 3.x
The sheer scope of vulnerable products highlights how impactful this vulnerability is across the entirety of the VMware ecosystem.
Exploitation and Risks
The exploitation of CVE-2025-41244 presents an exceptional risk to organizations using the affected software. Any local actor with non-administrative privileges can leverage these vulnerabilities to run arbitrary code in administrative contexts. This is effectively giving them root access inside the virtual machine.
“A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.” – VMware
Security researchers have said the exploit’s methodology is cause for concern over wider implications. Maxime Thiebaut commented on the situation, stating,
“The broad practice of mimicking system binaries (e.g., httpd) highlights the real possibility that several other malware strains have accidentally been benefiting from unintended privilege escalations for years.”
The exploitation pattern shows a degree of sophistication that would raise serious implications for continuing vulnerabilities in the system.
Response and Mitigation
In light of this major security flaw, VMware has provided an out-of-band patch to fix CVE-2025-41244. Organizations are strongly encouraged to implement the update at the earliest opportunity to reduce the risk of exploitation related to this vulnerability.
Thiebaut elaborated on how the exploit works. He noted that there are perfectly valid system binaries that work perfectly within those restrictions, but the regex patterns used can have a surprising effect of not excluding non-system binaries.
“We can however not assess whether this exploit was part of UNC5174’s capabilities or whether the zero-day’s usage was merely accidental due to its trivialness.” – Maxime Thiebaut
Thiebaut further elaborated on the exploit’s mechanics, noting that while legitimate system binaries function correctly within their defined parameters, the regex patterns employed may inadvertently match non-system binaries as well.
“While this functionality works as expected for system binaries (e.g., /usr/bin/httpd), the usage of the broad‑matching \S character class (matching non‑whitespace characters) in several of the regex patterns also matches non-system binaries (e.g., /tmp/httpd).” – Maxime Thiebaut