A newly patched security flaw impacting Broadcom VMware Tools and VMware Aria Operations has been exploited in the wild as a zero-day since mid-October 2024 by a threat actor called UNC5174, according to NVISO Labs.
The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), a local privilege escalation bug affecting the following versions –
- VMware Cloud Foundation 4.x and 5.x
- VMware Cloud Foundation 9.x.x.x
- VMware Cloud Foundation 13.x.x.x (Windows, Linux)
- VMware vSphere Foundation 9.x.x.x
- VMware vSphere Foundation 13.x.x.x (Windows, Linux)
- VMware Aria Operations 8.x
- VMware Tools 11.x.x, 12.x.x, and 13.x.x (Windows, Linux)
- VMware Telco Cloud Platform 4.x and 5.x
- VMware Telco Cloud Infrastructure 2.x and 3.x
“A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM,” VMware said in an advisory released Monday.
The fact that it’s a local privilege escalation means that the adversary will have to secure access to the infected device through some other means.
NVISO researcher Maxime Thiebaut has been credited for discovering and reporting the shortcoming on May 19, 2025, during an incident response engagement. The company also said VMware Tools 12.4.9, which is part of VMware Tools 12.5.4, remediates the issue for Windows 32-bit systems, and that a version of open-vm-tools that addresses CVE-2025-41244 will be distributed by Linux vendors.
 |
| The vulnerable get_version() function |
While Broadcom makes no mention of it being exploited in real-world attacks, NVISO Labs attributed the activity to a China-linked threat actor Google Mandiant tracks as UNC5174 (aka Uteus or Uetus), which has a track record of exploiting various security flaws, including those impacting Ivanti and SAP NetWeaver, to obtain initial access to target environments.
“When successful, exploitation of the local privilege escalation results in unprivileged users achieving code execution in privileged contexts (e.g., root),” Thiebaut said. “We can however not assess whether this exploit was part of UNC5174’s capabilities or whether the zero-day’s usage was merely accidental due to its trivialness.”
NVISO said the vulnerability is rooted in a function called “get_version()” that takes a regular expression (regex) pattern as input for each process with a listening socket, checks whether the binary associated with that process matches the pattern, and, if so, invokes the supported service’s version command.
“While this functionality works as expected for system binaries (e.g., /usr/bin/httpd), the usage of the broad‑matching \S character class (matching non‑whitespace characters) in several of the regex patterns also matches non-system binaries (e.g., /tmp/httpd),” Thiebaut explained. “These non-system binaries are located within…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
