A critical security flaw in Broadcom VMware Tools and VMware Aria Operations has been actively exploited since October 2024. According to cybersecurity researchers at NVISO Labs, the attacks are linked to a China-based hacking group tracked as UNC5174 (also known as Uteus or Uetus).
The bug, identified as CVE-2025-41244 with a CVSS score of 7.8, is classified as a local privilege escalation vulnerability. This flaw allows attackers with limited access to a virtual machine (VM) to escalate their privileges to root level, potentially enabling full control of the system.
Impacted Products
The vulnerability affects multiple VMware products, including:
- VMware Cloud Foundation 4.x, 5.x, 9.x.x.x, and 13.x.x.x (Windows, Linux)
- VMware vSphere Foundation 9.x.x.x and 13.x.x.x (Windows, Linux)
- VMware Aria Operations 8.x
- VMware Tools 11.x.x, 12.x.x, and 13.x.x.x (Windows, Linux)
- VMware Telco Cloud Platform 4.x and 5.x
- VMware Telco Cloud Infrastructure 2.x and 3.x
<image import-01image>
Exploitation in the Wild
According to VMware’s security advisory, attackers must first gain access to the vulnerable system through other means before exploiting this flaw. Once inside, a non-administrative user with VMware Tools installed and managed by Aria Operations with SDMP enabled can escalate privileges to root.
NVISO’s researcher Maxime Thiebaut, who discovered the flaw during an incident response engagement on May 19, 2025, confirmed that malicious actors have already used it in live attacks. While Broadcom has not officially acknowledged active exploitation, NVISO attributed the attacks to UNC5174, a group previously linked to exploiting vulnerabilities in Ivanti and SAP NetWeaver.
How the Exploit Works
The weakness lies in a function called “get_version()”, which uses a regular expression (regex) pattern to identify binaries. However, due to the use of the broad \S character class (matching non-whitespace characters), it inadvertently matches non-system binaries located in writable directories like /tmp.
This allows attackers to stage a fake binary (e.g., /tmp/httpd) that gets executed by the VMware metrics collection service, granting them elevated privileges. NVISO confirmed that UNC5174 leveraged this technique to run a root shell from the /tmp/httpd binary.
Mitigation and Fixes
VMware has released patches to address this vulnerability:
- VMware Tools 12.4.9 (part of VMware Tools 12.5.4) fixes the flaw on Windows 32-bit systems.
- An updated version of open-vm-tools for Linux systems will be distributed by Linux vendors.
Security Concerns
Thiebaut noted that this exploit highlights the possibility that other malware may have unknowingly benefited from similar privilege escalation bugs for years. NVISO has chosen not to disclose further details about the payload used in these attacks for security reasons.
