VMware customers looking at a security advisory from Broadcom this week for an LPE bug with a CVSS of 7.8 would be forgiven for not scrambling to patch – after all, Broadcom doesn’t say it’s being exploited and it has yet to make CISA’s “known exploited vulnerabilities” catalogue. 

But it has been exploited for over a year, report security researchers at Belgium’s Nviso – who say their incident response work suggests the VMware vulnerability has been abused since at least October 2024. (They identified exploitation during an IR engagement in May this year.)

The vulnerability in question, allocated CVE-2025-41244, affects VMware Tools and VMware Aria Operations. It also impacts the open-source open-vm-tools, distributed on most major Linux distributions. It lets a local attacker with limited privileges escalate them to root on the VM. 

Broadcom pushed a patch on Sep 29.

Nviso’s Maxime Thiebau said this week that the vulnerability has been used by a Chinese state-backed APT, UNC5174 – whilst admitting that they can’t tell whether the threat group developed the exploit explicitly as a zero day or its “usage was merely accidental due to its trivialness.”

Breaking down CVE-2025-41244 exploitation.

Adapted from Nviso's threat report with Gemini.

The Feature's Job: VMware Tools (and Aria Operations) use a Service Discovery feature to find and collect version information about services (like Apache or MySQL) running inside a guest Virtual Machine (VM). This collection process runs with elevated privileges (often as root).

The Flawed Script: To get service versions, the privileged service executes a collection script (e.g., get-versions.sh). This script scans the processes with listening network sockets and looks for matches based on service names.

The Broad Search: The problem is in the way the script searches. It uses a Regular Expression (Regex) that is far too broad. Instead of only matching trusted, known system paths (like /usr/bin/apache), it uses characters like \S+ which allow it to match a binary path located anywhere on the filesystem, including user-writable directories.

The Attacker's Setup: An attacker who already has low-level access to the VM exploits this by setting two things up:

  • They create a malicious binary (e.g., a reverse shell) and name it something the script is looking for (like /tmp/httpd).
  • They run this malicious binary and make sure it opens a dummy listening socket.

The Trigger and Elevation: When the VMware service discovery runs periodically (with its high privileges), it follows these steps:

  • It sees the attacker's running binary (/tmp/httpd) which has a listening socket.
  • The flawed regex pattern matches this path.
  • The high-privileged service then executes the attacker's binary, passing a version-check argument (e.g., /tmp/httpd -v).

The Result: Root Access: Because the attacker's binary is executed by the privileged VMware process, the low-privileged attacker instantly gains root-level code execution inside the virtual machine. This escalation works whether the discovery is running in the Credential-less mode (flaw in VMware Tools) or the Credential-based mode (flaw in the Aria Operations collector scripts).

He urged users to monitor for high-privilege VMware service processes spawning unusual child processes, particularly if the command path is non-standard or includes version-check arguments. (Admittedly, “abuse of CVE-2025-41244 is indicative that an adversary has already gained access to the affected device and that several other detection mechanisms should have triggered”, but it deserves noting regardless.)

“A version of open-vm-tools that addresses CVE-2025-41244 will be distributed by Linux vendors,” Broadcom added. Debian, Ubuntu and others have pushed fixes and/or advisories.

Sysdig has a useful recent advisory on further UNC5174 TTPs here, including its deployment of a home-grown Cobalt Strike-alternative dubbed vshell, which includes a multi-platform RAT written in Go that has now been removed from GitHub.

We keep our security reports free for public interest reasons. Subscribing gets you full access to in-depth CISO interviews, early invitations to events, and more. It's £250 a year and we reinvest it all in editorial.

Join peers already inside the tent
The link has been copied!