Overview
A local privilege-escalation problem known as CVE-2025-41244 has been exploited in the wild since mid-October 2024, allegedly by a China-linked entity known as UNC5174. The vulnerability affects several VMware products (including VMware Tools and Aria Operations). Successful abuse allows an unprivileged user on a virtual machine to elevate to root. Patches and vendor recommendations are available; update VMware Tools/open-vm-tools and begin mitigation immediately.
Background and scope
Broadcom/VMware addressed a vulnerability (CVE-2025-41244) that allows local privilege escalation on VMs with VMware Tools or Aria Operations installed and configured in specific ways. According to NVISO Labs’ incident analysis, exploitation was identified in genuine incidents beginning in mid-October 2024, and the behavior was traced to a threat actor frequently associated with China, known in tracking databases as UNC5174 (also referred to by certain vendors as Uteus/Uetus).
Which VMware products are affected
Affected families include multiple VMware platforms and Tools releases across Windows and Linux builds, such as:
- VMware Cloud Foundation (4.x, 5.x, 9.x.x.x, 13.x.x.x)
- VMware vSphere Foundation (9.x.x.x, 13.x.x.x)
- VMware Aria Operations (8.x)
- VMware Tools 11.x / 12.x / 13.x (Windows & Linux)
- VMware Telco Cloud Platform / Infrastructure series
- Related open-vm-tools packages (Linux vendors to distribute fixes)
How the flaw works
The function that compares process binaries to regex patterns and, if they match, executes version commands to gather metrics is the fundamental source of the bug, which is a local escalation. Because a pattern element matched non-system binaries in writable directories (like /tmp/httpd), the regex patterns were overly liberal. An attacker can fool the metrics collection service into executing the binary in a privileged context, allowing code execution as root, by placing a binary in such a location and causing it to open a listening socket.
Key points:
- This is local — an attacker must already have code execution or shell access as an unprivileged user on the VM.
- The issue stems from overly broad regex matching that does not restrict binaries to system paths.
- NVISO observed staging at
/tmp/httpdduring real exploitation.
Who’s using it
NVISO Labs attributed the observed exploitation activities to UNC5174, a gang that has a history of exploiting enterprise software vulnerabilities (Ivanti and SAP NetWeaver chains were two instances). Although the research team was unable to fully describe the post-exploit payloads publicly at the time of reporting, analysts acknowledge the group’s use here, or at the very least, its unintentional use by pre-existing tooling and malware.
Impact
When exploited successfully, an unprivileged local user can gain privileged code execution (root) on the same VM. In targeted environments, that can enable:
- Lateral movement inside the tenant environment
- Credential harvesting and persistence
- Higher-impact data exfiltration or service tampering
Because the vulnerability requires initial local access, it’s often combined with other foothold techniques (phishing, misconfigured services, vulnerable web apps, or stolen credentials).
Actionable mitigation & recommendations
Patch immediately: Install the vendor-released VMware Tools updates (e.g., VMware Tools 12.4.9 as a fix for certain Windows 32-bit builds and the versions noted by VMware) and apply any Aria/Cloud Foundation patches VMware published. Ensure your Linux distributions receive the updated open-vm-tools packages from vendors.
Harden writable directories: Restrict use of world-writable directories for execution where possible; consider mounting /tmp with noexec where operationally feasible.
Limit local exposures: Reduce the number of users/processes allowed to open arbitrary listening sockets. Monitor processes that open ephemeral/listening ports from nonstandard paths.
Detect suspicious binaries: Monitor for binaries in non-system locations such as /tmp, /var/tmp, or other writable folders, and for unusual processes launching version commands from metrics collectors.
Hunt for indicators: Look for evidence of processes staged in /tmp/httpd (or similar names mimicking system binaries) and for unexpected elevated shells spawned from metrics/collection services.
Apply defense-in-depth: Combine patching with host-based EDR rules, network segmentation, and strict VM guest isolation policies.
Audit and rotate credentials if you suspect compromise, and perform incident response where indicators of exploitation exist.