Local Privilege Escalation in VMware Aria Operations and VMware Tools
CVE-2025-41244
Key Information:
- Vendor
Vmware
- Vendor
- CVE Published:
- 29 September 2025
Badges
What is CVE-2025-41244?
CVE-2025-41244 is a vulnerability found in VMware Aria Operations and VMware Tools, both of which are essential components for managing virtualized environments. VMware Aria Operations is designed for performance monitoring and optimization of virtual environments, while VMware Tools enhances the performance of virtual machines by providing necessary drivers and utilities. The identified vulnerability allows a malicious actor with non-administrative privileges who has access to a virtual machine (VM) managed by Aria Operations and with VMware Tools installed to escalate their privileges to root within the same VM. This exploitation could lead to severe breaches of security, allowing the attacker to manipulate system functionalities, access sensitive information, and potentially control the environment entirely.
Potential impact of CVE-2025-41244
-
Unauthorized System Access: The vulnerability allows local actors to gain elevated privileges, which could lead to unauthorized access to critical applications and data within the virtual machine, compromising sensitive information and system integrity.
-
System Compromise and Control: Exploitation of this vulnerability could enable malicious actors to execute arbitrary code or commands on the VM, potentially leading to a total system compromise. This not only affects the specific VM but may also lead to lateral movement within the network.
-
Increased Vulnerability to Further Attacks: By escalating privileges, attackers may deploy additional malicious software or ransomware, increasing the overall risk to the organization's IT infrastructure. This escalation could facilitate more sophisticated attacks, including data exfiltration or attacks on interconnected systems.
CISA has reported CVE-2025-41244
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-41244 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
VCF operations 9.0.x < 9.0.1.0
VMware Aria Operations 8.18.x < 8.18.5
VMware Cloud Foundation 5.x < 8.18.5
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Xwiki and VMWare vulnerabilities exploited in the wild
A pair of newly exploited vulnerabilities has been added to CISAβs Known Exploited Vulnerabilities Catalog.
3 weeks ago
The StackCVE-2025-41244CISA adds VMware bug to KEV a year after first exploited
CISA updated its known exploited vulnerability catalogue on Thursday to include the VMware bug CVE-2025-41244, first exploited in October 2024.
4 weeks ago
Cyber PressCVE-2025-41244CISA Warns of Actively Exploited 0-Day Vulnerabilities in VMware Tools and Aria Operations
Tracked as CVE-2025-41244, this 0-day flaw poses a significant risk to organizations managing virtualized infrastructure, potentially allowing attackers
1 month ago
References
CVSS V3.1
Timeline
- π¦
CISA Reported
- π‘
Public PoC available
- π
Vulnerability started trending
- π°
Used in Ransomware
- πΎ
Exploit known to exist
- π°
First article discovered by The Hacker News
Vulnerability published
Vulnerability Reserved