CVE-2025-41244

Name of the Vulnerable Software and Affected Versions VMware Aria Operations and VMware Tools versions prior to fixes available since October 2024 open-vm-tools versions prior to 2:11.3.0-2ubuntu0~ubuntu20.04.8+esm1 VMware Cloud Foundation 4.x and 5.x, 9.xxx, 13.xxx vSphere Foundation 9.xxx, 13.xxx Telco Cloud Platform 4.x and 5.x Telco Cloud Infrastructure 2.x and 3.x

Description VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. This flaw allows a malicious local actor with non-administrative privileges to escalate privileges to root on the same VM. The vulnerability is related to improper handling of regular expressions in the get version() function within VMware Tools and Aria Operations. Specifically, the use of overly permissive regular expressions allows for the execution of arbitrary binaries in directories accessible to non-privileged users, such as /tmp/httpd. This vulnerability has been actively exploited in the wild by the UNC5174 threat actor since October 2024. The vulnerability impacts VMware Cloud Foundation, vSphere Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure. The SDMP get-versions.sh script is also affected.

Recommendations Update VMware Aria Operations and VMware Tools to the latest available versions. Update open-vm-tools to version 2:11.3.0-2ubuntu0~ubuntu20.04.8+esm1 or later. Disable the SDMP functionality if patching is not immediately feasible. Monitor systems for suspicious activity, including the creation of unexpected binaries in /tmp/httpd.