CVE-2025-41244

Name of the Vulnerable Software and Affected Versions VMware Aria Operations versions 8.x and earlier VMware Tools versions 11.xx, 12.xx, and 13.xx VMware Cloud Foundation versions 4.x, 5.x, 9.xxx, and 13.xxx vSphere Foundation versions 9.xxx and 13.xxx Telco Cloud Platform versions 4.x and 5.x Telco Cloud Infrastructure versions 2.x and 3.x open-vm-tools versions prior to 2:11.3.0-2ubuntu0~ubuntu20.04.8+esm1

Description A local privilege escalation issue exists in VMware Aria Operations and VMware Tools. A local attacker with non-administrative privileges may be able to escalate their privileges to root on a VM managed by Aria Operations with SDMP enabled. The vulnerability is related to improper handling of regular expressions in the

get version()

function, allowing an attacker to execute code with elevated privileges. This flaw has been actively exploited in the wild since October 2024 by a threat actor known as UNC5174. The exploitation involves placing a malicious binary in a directory accessible to non-privileged users, such as /tmp/httpd, and leveraging a socket to gain root access. The vulnerability stems from overly permissive regular expressions used for service discovery, which can match unexpected paths. The

get version.sh

script is involved in this process.

Recommendations Update VMware Aria Operations to a fixed version. Update VMware Tools to version 12.4.9 or later, or to VMware Tools 12.5.4 or later. Update VMware Cloud Foundation to a fixed version. Update vSphere Foundation to a fixed version. Update Telco Cloud Platform to a fixed version. Update Telco Cloud Infrastructure to a fixed version. Update open-vm-tools to version 2:11.3.0-2ubuntu0~ubuntu20.04.8+esm1 or later. Disable the SDMP get-versions.sh script.