CISA Adds Actively Exploited VMware Privilege Escalation Zero-Day (CVE-2025-41244) to KEV Catalog

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-41244, a high-severity local privilege escalation (LPE) vulnerability affecting Broadcom's VMware products, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, rated CVSS 7.8, allows a local non-administrative user to escalate privileges to root on a virtual machine. The vulnerability has been actively exploited as a zero-day since at least mid-October 2024 by UNC5174, a threat actor suspected to have links to China. Given the active exploitation by a sophisticated threat actor and the public availability of a proof-of-concept (PoC), immediate patching is critical.

Vulnerability Details

CVE-2025-41244 is an untrusted search path vulnerability. It exists within a shell script utilized by the Service Discovery Management Pack (SDMP) feature in VMware Aria Operations and VMware Tools. The script uses overly broad regular expressions when searching for system binaries. An attacker with low-level privileges on a guest virtual machine can exploit this by placing a malicious executable in a world-writable directory, such as /tmp/.

When the service discovery function is triggered, the vulnerable script may inadvertently execute the attacker's malicious binary instead of the legitimate system command. Because the script runs with high privileges, the attacker's code is executed as the root user, leading to a full privilege escalation.

Affected Systems

The vulnerability impacts multiple VMware products where the Service Discovery Management Pack (SDMP) is enabled:

• VMware Aria Operations
• VMware Tools
• VMware Cloud Foundation
• VMware vSphere Foundation

Administrators should consult the Broadcom security advisory for a full list of affected versions.

Exploitation Status

This vulnerability was exploited as a zero-day before a patch was available. According to researchers at NVISO Labs, who discovered and reported the flaw, the China-linked threat actor UNC5174 has been exploiting it in the wild since mid-October 2024. Following the disclosure, NVISO researchers published a technical deep-dive and a proof-of-concept (PoC) exploit. The combination of nation-state level exploitation and a public PoC significantly increases the risk for all organizations using vulnerable VMware products.

Impact Assessment

An attacker who successfully exploits CVE-2025-41244 can escalate their privileges from a standard user to root within a virtual machine. This level of access allows the attacker to:

• Completely compromise the guest operating system.
• Disable security controls and install persistent backdoors.
• Access all sensitive data stored on the virtual machine.
• Potentially attempt to escape the VM to attack the underlying hypervisor (though this is a separate, more complex attack).
• Use the compromised VM as a staging ground for lateral movement within the network.

Cyber Observables for Detection

• File Creation: Monitor for the creation of executable files in world-writable directories like /tmp/, especially if their names mimic common system utilities (e.g., df, ls, ps).
• Process Monitoring: Look for the VMware service discovery process spawning unexpected child processes from directories like /tmp/.
• Log Analysis: Review logs from VMware tools and Aria Operations for errors or unusual activity related to the service discovery feature.

Detection Methods

• EDR/Endpoint Security: Deploy endpoint security solutions on VMs to detect and block suspicious process execution and file creation in common temporary directories. A rule that flags a process running from /tmp with root privileges would be effective. This is an example of D3-PA: Process Analysis.
• Vulnerability Management: Scan all virtual machines for vulnerable versions of VMware Tools and Aria Operations agents.
• Threat Hunting: Proactively hunt for the PoC's artifacts. The public PoC creates a malicious binary in /tmp/ and triggers its execution. Security teams can search for this specific behavior pattern across their VM fleet.

Remediation Steps

1. Apply Patches: The primary and most critical step is to apply the security patches released by Broadcom for all affected VMware products. This is a direct application of M1051 - Update Software.
2. Disable Service Discovery: If patching is not immediately feasible, consider disabling the Service Discovery Management Pack (SDMP) feature as a temporary mitigation. However, this will result in a loss of functionality.
3. Harden Systems: Enforce security best practices on VMs, such as mounting /tmp with the noexec option to prevent the execution of binaries from that directory. This aligns with M1028 - Operating System Configuration.
4. Verify Patching: After deployment, use vulnerability scanning tools to verify that the patches have been successfully applied and the vulnerability is remediated.