CVE Alert: CVE-2025-41244 - VMware - VCF operations

CVE-2025-41244

HIGHExploitation active

VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.

CVSS v3.1 (7.8)

AV LOCAL · AC LOW · PR LOW · UI NONE · S UNCHANGED

Vendor

VMware, VMware, VMware, VMware, VMware, VMware

Product

VCF operations, VMware tools, VMware Aria Operations, VMware Cloud Foundation, VMware Telco Cloud Platform, VMware Telco Cloud Infrastructure

Versions

9.0.x lt 9.0.1.0 | 13.x.x.x lt 13.0.5.0 | 12.5.x lt 12.5.4 | 8.18.x lt 8.18.5 | 5.x lt 8.18.5 | 4.x lt 8.18.5 | 5.x lt 8.18.5 | 4.x lt 8.18.5 | 3.x lt 8.18.5 | 2.x lt 8.18.5

CWE

CWE-267, CWE-267

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published

2025-09-29T16:09:51.871Z

Updated

2025-10-30T17:33:48.636Z

References

http://support.broadcom.com/group/ecx/support-content-view/-/support-content/Security%20Advisories/VMSA-2025-0015–VMware-Aria-Operations-and-VMware-Tools-updates-address-multiple-vulnerabilities–CVE-2025-41244-CVE-2025-41245–CVE-2025-41246-/36149

AI Summary Analysis

Risk verdict

High-risk local privilege escalation is actively exploitable in affected VMware Aria Operations and VMware Tools; treat as priority 1 due to KEV presence and exploitation state.

Why this matters

A malicious local actor with limited VM access can elevate to root within that VM, enabling data tampering, credential access, or persistence. Because Aria Operations and SDMP-enabled Tool deployments are common in production environments, the breach could compromise multiple VMs and undermine central management workflows.

Most likely attack path

Attacker requires local access to a VM with VMware Tools installed and SDMP enabled; no user interaction is needed and privileges are low at entry. The exploit would escalate within the same VM, with scope remaining unchanged, offering potential escalation to full root within that host environment but limited immediate cross-VM movement unless additional vulnerabilities are chained.

Who is most exposed

Organisations running large-scale VMware deployments managed by Aria Operations, especially where VMware Tools are widely deployed and SDMP features are active, such as data centres, private clouds, and telecom cloud platforms.

Detection ideas

Unauthorised privilege escalations within a VM (root-owned processes, new privileged binaries).
Changes to VMware Tools components or SDMP configuration detected in system logs.
Anomalous local login activity by non-administrative accounts.
Unusual process activity or kernel-level traces indicative of privilege escalation.

Mitigation and prioritisation

Apply vendor patches for Aria Operations and VMware Tools to address CVE-2025-41244/45/46; verify patch compatibility in a test environment before production rollout.
Enforce least privilege for VM users, tighten SDMP access controls, and restrict local admin rights.
Monitor privileged activity and SDMP-related events; enable rapid alerting for escalation attempts.
Validate backups and implement rapid recovery plans; segregate management networks where feasible.
Treat as priority 1 due to KEV and active exploitation indicators.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-41244, OSINT, threatintel, vcf-operations, VMWare, vmware-aria-operations, vmware-cloud-foundation, vmware-telco-cloud-infrastructure, vmware-telco-cloud-platform, vmware-tools