CVE-2025-41244 Vulnerability: A New VMware Tools and Aria Zero-Day Actively Exploited for Privilege Escalation
Hot on the heels of CVE-2025-20352, a critical Cisco IOS and IOS XE flaw actively exploited in the wild, the cyber threat landscape is shaken again by another zero-day. Tracked as CVE-2025-41244, this newly weaponized vulnerability affects VMware Tools and VMware Aria Operations, allowing local privilege escalation and enabling unprivileged users to execute code with root privileges on impacted systems.
In 2025, vulnerability management has emerged as a critical global priority as organizations contend with escalating cybersecurity risks. More than 35,000 vulnerabilities were disclosed worldwide, reflecting a 21% year-over-year surge and intensifying the pressure on security teams to keep pace. With exploitation remaining the primary attack vector and threat actors adopting increasingly sophisticated methods, proactive detection is crucial for reducing the attack surface.
The ease of exploitation of the newly identified VMware Tools and Aria zero-day (CVE-2025-41244) highlights the critical importance of rapid patching, vigilant process monitoring, and strengthening guest VM environments to defend against comparable zero-day threats.
Register for SOC Prime Platform to tap into top cybersecurity expertise and AI for enterprise-ready cyber defense. SOC Prime Platform offers curated, context-enriched detections to help organizations outscale cyber threats of any sophistication, including the increasing volumes of zero-day vulnerabilities affecting widely-used software. Click the Explore Detections button below to instantly drill down to the comprehensive collection of relevant Sigma rules filtered by the “CVE” tag to preempt attacks that weaponize known and emerging vulnerabilities.
The above-mentioned detection algorithms addressing vulnerability exploitation attempts are mapped to MITRE ATT&CK® and enhanced with AI-native threat intel to provide in-depth cyber threat context and accelerate threat research. Sigma rules can be automatically converted into multiple SIEM, EDR, and Data Lake formats, streamlining and simplifying the detection engineering process while increasing the engineering team’s productivity.
With Uncoder AI, an AI copilot and IDE for detection engineering, security teams can convert raw threat intel from reports into custom IOC queries, visualize Attack Flows, gain concise summaries or decision trees, supercharge detection strategies with ATT&CK® ML-powered code tagging and unlimited autocompletion, or optimize native-language queries with AI. The latest Uncoder AI version offers an AI Chat Bot mode and MCP tools to help security experts manage detection engineering tasks end-to-end.
CVE-2025-41244 Analysis
Defenders have observed a novel zero-day local privilege escalation vulnerability in VMware Tools and VMware Aria Operations that is being actively leveraged in in-the-wild attacks. The critical flaw, tracked as CVE-2025-41244, with a CVSS score of 7.8, impacts VMware Tools and VMware Aria Operations’ Service Discovery Management Pack (SDMP), allowing unprivileged users to execute arbitrary code with root privileges.
NVISO researchers traced the issue to an Untrusted Search Path weakness (CWE-426) in the get-versions.sh script, which uses overly broad regex patterns to locate service binaries. An attacker can place a malicious binary in a writable directory (e.g., /tmp/httpd), which the VMware service discovery process then executes with elevated privileges, granting full root access.
The vulnerability affects both credential-less discovery (via VMware Tools on guest VMs) and legacy credential-based discovery (via VMware Aria Operations). Researchers confirmed the same flaw in open-vm-tools, shipped with most Linux distributions.
Exploitation can be detected by monitoring unusual child processes from vmtoolsd or get-versions.sh, or by inspecting leftover script files in /tmp/VMware-SDMP-Scripts-{UUID}/.
In Q1 2024, APT groups linked to China, North Korea, Iran, and russia showcased increasingly advanced and innovative tactics in cyber-espionage operations, exploiting vulnerabilities in widely used technologies such as VMware. For example, the China-nexus UNC3886 group has been actively deploying an extensive toolkit of malicious techniques, including zero-day exploits in VMware and Fortinet, throughout 2024.
The ongoing in-the-wild exploitation of CVE-2025-41244 has been attributed to UNC5174, a suspected China-sponsored group known for leveraging public exploits in initial access operations.
As potential mitigation steps for CVE-2025-41244, Broadcom has released patches and urges immediate updates to minimize the risk of vulnerability exploitation. Additional recommendations include monitoring for abnormal child processes of vmtoolsd or Aria SDMP, restricting write access to risky directories, and limiting guest VM connectivity to internal networks to reduce the risks of intrusions.
To help organizations timely identify emerging threats and proactively thwart sophisticated attacks, security teams can rely on SOC Prime’s enterprise-ready product suite backed by top expertise and cutting-edge technologies that fuse AI, automation, and real-time threat intelligence for future-proof cyber defense.
