VMware has released a fix for a trivial privilege-escalation vulnerability in its Tools and Aria Operations products that researchers say has been exploited in the wild for nearly a year. 

The vulnerability (CVE-2025-41244) is easily exploitable, although it requires existing privileges on the target product. Researchers at NVISO Labs discovered the bug in May during an incident response and were able to figure out that a Chinese state-backed actor known as UNC5174 was exploiting it.

VMware released a patch for the vulnerability on Sept. 29, along with fixes for a handful of other vulnerabilities. 

“Throughout its incident response engagements, NVISO determined with confidence that UNC5174 triggered the local privilege escalation. We can however not assess whether this exploit was part of UNC5174’s capabilities or whether the zero-day’s usage was merely accidental due to its trivialness. UNC5174, a Chinese state-sponsored threat actor, has repeatedly been linked to initial access operations achieved through public exploitation,” Maxime Thiebaut of NVISO Labs said in an analysis of the flaw.

The flaw is trivially exploitable, and Thiebaut said the bug is exploitable in both credential-based service discovery and credential-less service discovery in Aria Operations. The bug is only reachable, however, by a local attacker who already has some privileges on the target app. 

“A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM,” the VMware advisory says. 

Thiebaut said that the exploitation of CVE-2025-41244 began as early as October 2024, though it’s entirely possible that some of that activity may have been incidental.

“While NVISO identified these vulnerabilities through its UNC5174 incident response engagements, the vulnerabilities’ trivialness and adversary practice of mimicking system binaries (T1036.005) do not allow us to determine with confidence whether UNC5174 willfully achieved exploitation,” Thiebaut said. 

“The broad practice of mimicking system binaries (e.g., httpd) highlight the real possibility that several other malware strains have accidentally been benefiting from unintended privilege escalations for years. Furthermore, the ease with which these vulnerabilities could be identified in the open-vm-tools source code make it unlikely that knowledge of the privilege escalations did not predate NVISO’s in-the-wild identification.”

VMware also patched several other vulnerabilities on Monday, including a password recovery bug in NSX that was reported by the NSA. 

  • Recent Posts

  • Recent Comments

    No comments to show.