CVE-2025-41244

Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.

A flaw was found in VMWare open-vm-tools. A malicious actor with non-administrative privileges on a guest Virtual Machine (VM) could exploit this vulnerability to gain root privileges on the VM. The issue lies in the service-discovery plugin logic, which can execute attacker-controlled binaries from writable paths such as /tmp. Exploitation requires the open-vm-tools-sdmp package to be installed and guest service discovery to be enabled.

It was discovered that Open VM Tools incorrectly handled permissions with version checking. An attacker could possibly use this issue to escalate privileges inside a virtual machine. This update disables the SDMP get-versions.sh script, so version information may no longer be made available.

Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2025-04-16 CVE Reserved
2025-09-29 CVE Published
2025-10-30 Exploited in Wild
2025-11-20 KEV Due Date
2026-02-26 CVE Updated
2026-04-06 EPSS Updated
---------- First Exploit

CWE

CWE-267: Privilege Defined With Unsafe Actions
CWE-280: Improper Handling of Insufficient Permissions or Privileges

CAPEC

References (5)

URL	Tag	Source
http://support.broadcom.com/group/ecx/support-content-view/-/support-content/Security%20Advisories/VMSA-2025-0015--VMware-Aria-Operations-and-VMware-Tools-updates-address-multiple-vulnerabilities--CVE-2025-41244-CVE-2025-41245--CVE-2025-41246-/36149
https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2025-41244	2025-10-07
https://bugzilla.redhat.com/show_bug.cgi?id=2397752	2025-10-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Oracle Search vendor "Oracle"		Linux Search vendor "Oracle" for product "Linux"				*		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Aus Search vendor "Redhat" for product "Rhel Aus"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel E4s Search vendor "Redhat" for product "Rhel E4s"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Eus Search vendor "Redhat" for product "Rhel Eus"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Eus Long Life Search vendor "Redhat" for product "Rhel Eus Long Life"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Tus Search vendor "Redhat" for product "Rhel Tus"				*		-		Affected
Vmware Search vendor "Vmware"		Aria Operations Search vendor "Vmware" for product "Aria Operations"				*		-		Affected
Vmware Search vendor "Vmware"		Cloud Foundation Search vendor "Vmware" for product "Cloud Foundation"				*		-		Affected
Vmware Search vendor "Vmware"		Cloud Foundation Operations Search vendor "Vmware" for product "Cloud Foundation Operations"				*		-		Affected
Vmware Search vendor "Vmware"		Open Vm Tools Search vendor "Vmware" for product "Open Vm Tools"				*		-		Affected
Vmware Search vendor "Vmware"		Telco Cloud Infrastructure Search vendor "Vmware" for product "Telco Cloud Infrastructure"				*		-		Affected
Vmware Search vendor "Vmware"		Telco Cloud Platform Search vendor "Vmware" for product "Telco Cloud Platform"				*		-		Affected
Vmware Search vendor "Vmware"		Tools Search vendor "Vmware" for product "Tools"				*		-		Affected
Vmware Search vendor "Vmware"		Vmware Search vendor "Vmware" for product "Vmware"				*		-		Affected
Alibabacloud Search vendor "Alibabacloud"		Alibaba Cloud Linux 3 Search vendor "Alibabacloud" for product "Alibaba Cloud Linux 3"				*		-		Affected
Alma Search vendor "Alma"		Linux Search vendor "Alma" for product "Linux"				*		-		Affected
Amazon Search vendor "Amazon"		Linux Search vendor "Amazon" for product "Linux"				*		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				*		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				*		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				*		-		Affected
Oracle Search vendor "Oracle"		Linux Search vendor "Oracle" for product "Linux"				*		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Aus Search vendor "Redhat" for product "Rhel Aus"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel E4s Search vendor "Redhat" for product "Rhel E4s"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Eus Search vendor "Redhat" for product "Rhel Eus"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Tus Search vendor "Redhat" for product "Rhel Tus"				*		-		Affected
Rocky Search vendor "Rocky"		Linux Search vendor "Rocky" for product "Linux"				*		-		Affected
Suse Search vendor "Suse"		Sle-module-basesystem Search vendor "Suse" for product "Sle-module-basesystem"				*		-		Affected
Suse Search vendor "Suse"		Sle-module-containers Search vendor "Suse" for product "Sle-module-containers"				*		-		Affected
Suse Search vendor "Suse"		Sle-module-desktop-applications Search vendor "Suse" for product "Sle-module-desktop-applications"				*		-		Affected
Suse Search vendor "Suse"		Sle Hpc-espos Search vendor "Suse" for product "Sle Hpc-espos"				*		-		Affected
Suse Search vendor "Suse"		Sle Hpc-ltss Search vendor "Suse" for product "Sle Hpc-ltss"				*		-		Affected
Suse Search vendor "Suse"		Sle Hpc Search vendor "Suse" for product "Sle Hpc"				*		-		Affected
Suse Search vendor "Suse"		Sled Search vendor "Suse" for product "Sled"				*		-		Affected
Suse Search vendor "Suse"		Sles-ltss-extended-security Search vendor "Suse" for product "Sles-ltss-extended-security"				*		-		Affected
Suse Search vendor "Suse"		Sles-ltss Search vendor "Suse" for product "Sles-ltss"				*		-		Affected
Suse Search vendor "Suse"		Sles Search vendor "Suse" for product "Sles"				*		-		Affected
Suse Search vendor "Suse"		Sles Sap Search vendor "Suse" for product "Sles Sap"				*		-		Affected
Suse Search vendor "Suse"		Suse-manager-proxy-lts Search vendor "Suse" for product "Suse-manager-proxy-lts"				*		-		Affected
Suse Search vendor "Suse"		Suse-manager-server-lts Search vendor "Suse" for product "Suse-manager-server-lts"				*		-		Affected
Uos Search vendor "Uos"		Uos Server 20 Search vendor "Uos" for product "Uos Server 20"				*		-		Affected