Wiz
Vulnerability DatabaseCVE-2025-41244

CVE-2025-41244
VMware Tools vulnerability analysis and mitigation

Overview

VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability identified as CVE-2025-41244, discovered and disclosed on September 29, 2025. The vulnerability affects VMware Aria Operations and VMware Tools installations, particularly in environments where Service Discovery Management Pack (SDMP) is enabled. This security flaw impacts systems with VMware Tools installed and managed by Aria Operations (VMware Advisory).

Technical details

The vulnerability exists in the service discovery feature of VMware Tools, specifically within the get-versions.sh shell script's get_version function. The function uses broad-matching regular expressions that can match non-system binaries in user-writable directories, leading to untrusted search path vulnerabilities (CWE-426). The vulnerability has received a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVISO Blog, VMware Advisory).

Impact

When successfully exploited, this vulnerability allows a malicious local actor with non-administrative privileges to escalate privileges to root on the same VM. The impact is particularly severe in environments using either credential-based or credential-less service discovery modes, as it provides attackers with elevated privileges that can be used to gain complete control over the affected system (NVISO Blog).

Mitigation and workarounds

Broadcom has released patches to address this vulnerability. Organizations should upgrade to the following fixed versions: VMware Tools 13.0.5, VMware Tools 12.5.4, VMware Aria Operations 8.18.5, or VMware Cloud Foundation Operations 9.0.1.0. For Linux systems, a patched version of open-vm-tools will be distributed through Linux vendors. No workarounds are available, making patching the only effective mitigation strategy (VMware Advisory).

Community reactions

The security community has expressed significant concern about this vulnerability, particularly due to its lengthy exploitation period before discovery. The ease of exploitation and its use by state-sponsored threat actors has heightened awareness about the importance of proper service discovery configuration and timely patch management in virtualized environments (NVISO Blog).

Additional resources

SourceThis report was generated using AI

Related VMware Tools vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-41244HIGH7.8
  • VMware ToolsVMware Tools
  • open-vm-tools
YesYesSep 29, 2025
CVE-2025-22230HIGH7.8
  • VMware ToolsVMware Tools
  • cpe:2.3:a:vmware:tools:*:*:*:*:*:windows:*:*
NoYesMar 25, 2025
CVE-2025-41246HIGH7.6
  • VMware ToolsVMware Tools
  • cpe:2.3:a:vmware:tools
NoYesSep 29, 2025
CVE-2023-34058HIGH7.5
  • VMware ToolsVMware Tools
  • open-vm-tools-sdmp
NoYesOct 27, 2023
CVE-2025-41239HIGH7.1
  • VMware WorkstationVMware Workstation
  • VMware_bootbank_esx-base
NoYesJul 15, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo