UNC5174 Weaponizes VMware CVE-2025-41244 Bug for Privilege Escalation

On September 29, 2025, VMware disclosed a severe local privilege escalation vulnerability affecting both VMware Tools and VMware Aria Operations. The flaw resides in the Service Discovery Management Pack (SDMP) and was exploited in the wild by the Chinese APT group UNC5174, months before public disclosure. The vulnerability enables unprivileged local users to execute code as root by abusing improperly validated regex paths in the service discovery mechanism.

Severity: High

Vulnerability Details

• CVE ID: CVE-2025-41244
• CVSS Score: 7.8
• CWE: CWE-426 – Untrusted Search Path
• Vulnerable Function: get_version() in get-versions.sh
• Description: This is a local privilege escalation vulnerability in the VMware Tools and VMware Aria Operations, specifically within the Service Discovery Management Pack (SDMP). The flaw arises from improperly validated regex patterns in the service discovery scripts, which can lead to the execution of malicious binaries placed in user-writable directories (e.g., /tmp).
• Affected Products:
  • VMware Tools: v13.x.x, v12.x.x, v11.x.x
  • VMware Cloud Foundation Operations: v9.x.x.x
  • VMware Aria Operations: v8.x, v5.x, v4.x, v3.x, v2.x

Vulnerable when VMware Tools is installed on the VM, the VM is managed by VMware Aria Operations, and SDMP is enabled.

• Fixed In:
  • VMware Cloud Foundation Operations: v9.0.1.0
  • VMware Tools: v13.0.5, v12.5.4
  • VMware Aria Operations: v8.18.5

Exploitation

1. Status: Exploited In-The-Wild
2. Earliest Observed Exploitation: Mid-October 2024
3. Threat Actor: UNC5174 (Chinese state-sponsored)
4. Exploitation Method:
   • Malicious Binary Placement:
     • The attacker places a malicious binary (e.g., /tmp/httpd) in a user-writable directory such as /tmp, which is broadly matched by the regular expressions used in VMware’s service discovery scripts (get-versions.sh).
     • These regex patterns are overly broad, which allows arbitrary binaries in locations like /tmp/ to be executed as part of the service discovery process.
   • Triggering Exploitation:
     • The VMware Tools or VMware Aria Operations (depending on the mode) will automatically trigger the malicious binary when it attempts to discover services and applications running within the virtual machine.
     • This occurs in two modes:
       • Credential-based discovery (via Aria Operations scripts), where privileged credentials are used by Aria Operations to collect metrics from guest VMs.
       • Credential-less discovery (via VMware Tools plugin), where no credentials are required, and the discovery runs directly under the privileged VMware Tools user context.
     • Privilege Escalation:
       • Once the malicious binary is triggered, it runs within the privileged context of the VMware service discovery process (either the Aria Operations metrics collector script or the VMware Tools plugin).
       • As a result, the attacker, who was initially unprivileged, gains root privileges, enabling them to execute arbitrary commands with full system access.

Recommendations

1. Immediately apply latest security updates to the affected VMware Tools and Aria Operations.
2. Temporarily disable SDMP if patching is delayed.
3. Detection:
   a. Correlate the execution of service discovery scripts (e.g., get-versions.sh, VMware Aria’s discovery-related processes) and monitor if these scripts are running under unusual conditions. Look for process creation in directories like /tmp, /var/tmp, or user home directories that aren’t typical for system binaries. Investigate processes like /tmp/httpd, /tmp/mysqld, or others that should not be executed from these locations.
   b. Under certain circumstances, exploitation may forensically be confirmed in legacy credential-based mode through the analysis of lingering metrics collector scripts and outputs under the /tmp/VMware-SDMP-Scripts-{UUID}/ folders. While less than ideal, this approach may serve as a last resort in environments without process monitoring on compromised machines.

Source:

• https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/
• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.