Local Privilege Escalation in VMware Aria Operations and VMware Tools
CVE-2025-41244

7.8HIGH

Key Information:

Vendor

Vmware
Status
Vcf Operations
Vmware Tools
Vmware Aria Operations
Vmware Cloud Foundation
Vendor
CVE Published:
29 September 2025

Badges

πŸ“ˆ TrendedπŸ“ˆ Score: 3,780πŸ’° RansomwareπŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

What is CVE-2025-41244?

CVE-2025-41244 is a vulnerability found in VMware Aria Operations and VMware Tools, both of which are essential components for managing virtualized environments. VMware Aria Operations is designed for performance monitoring and optimization of virtual environments, while VMware Tools enhances the performance of virtual machines by providing necessary drivers and utilities. The identified vulnerability allows a malicious actor with non-administrative privileges who has access to a virtual machine (VM) managed by Aria Operations and with VMware Tools installed to escalate their privileges to root within the same VM. This exploitation could lead to severe breaches of security, allowing the attacker to manipulate system functionalities, access sensitive information, and potentially control the environment entirely.

Potential impact of CVE-2025-41244

  1. Unauthorized System Access: The vulnerability allows local actors to gain elevated privileges, which could lead to unauthorized access to critical applications and data within the virtual machine, compromising sensitive information and system integrity.

  2. System Compromise and Control: Exploitation of this vulnerability could enable malicious actors to execute arbitrary code or commands on the VM, potentially leading to a total system compromise. This not only affects the specific VM but may also lead to lateral movement within the network.

  3. Increased Vulnerability to Further Attacks: By escalating privileges, attackers may deploy additional malicious software or ransomware, increasing the overall risk to the organization's IT infrastructure. This escalation could facilitate more sophisticated attacks, including data exfiltration or attacks on interconnected systems.

Affected Version(s)

VCF operations 9.0.x < 9.0.1.0

VMware Aria Operations 8.18.x < 8.18.5

VMware Cloud Foundation 5.x < 8.18.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-41244-PoC
Created by haspiranti

News Articles

favicon imageDark Reading

China Exploited New VMware Bug for Nearly a Year

A seemingly benign privilege-escalation process in VMware and other software has likely benefited attackers and other malware strains for years.

4 weeks ago

favicon imageBleepingComputer

Chinese hackers exploiting VMware zero-day since October 2024

Broadcom has patched a high-severity privilege escalation vulnerability in its VMware Aria Operations and VMware Tools software, which has been exploited in zero-day attacks since October 2024.

4 weeks ago

favicon imageThe Hacker News

Urgent: China-Linked Hackers Exploit New VMware Zero-Day Since October 2024

VMware CVE-2025-41244 exploited by UNC5174 since Oct 2024, CVSS 7.8, patch now available.

1 month ago

References

http://support.broadcom.com/group/ecx/support-content-vie...

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ“ˆ

    Vulnerability started trending

  • πŸ’°

    Used in Ransomware

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by The Hacker News

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-41244 : Local Privilege Escalation in VMware Aria Operations and VMware Tools