What is VMware Aria Operations and VMware Tools SDMP?
VMware Aria Operations (formerly vRealize Operations) is an IT operations management platform that monitors, analyzes, and optimizes VMware vSphere environments. Its Service Discovery Management Pack (SDMP) component automatically discovers and inventories services running inside virtual machines by periodically running discovery scripts on the guest OS.
VMware Tools is the software package installed inside every VMware guest VM to enable management functions, performance monitoring, and guest-host communication.
When Aria Operations' SDMP is enabled and manages VMs with VMware Tools installed, the SDMP discovery scripts run inside guest VMs with root-level privileges — creating a privilege escalation surface exploitable from within any managed guest VM.
Overview
CVE-2025-41244 is a privilege-defined-with-unsafe-actions vulnerability (CWE-267) in VMware Tools when managed by Aria Operations with SDMP enabled. The SDMP's get_versions.sh script uses a regex pattern that inadvertently matches binaries in user-writable directories (e.g., /tmp/httpd). A local low-privilege attacker places a malicious binary at a matched path; when SDMP's discovery cron runs, it executes the binary with root privileges. NVISO Labs discovered forensic evidence that UNC5174, a Chinese state-sponsored APT, exploited this as a zero-day for approximately one year before the patch was released.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| VMware Aria Operations | < 8.18.5 | 8.18.5 |
| VMware Tools 12.x | < 12.5.4 | 12.5.4 |
| VMware Tools 13.x | < 13.0.5 | 13.0.5 |
| VMware Tools 11.x | All versions | No fix (EOL — upgrade Tools) |
| VMware Cloud Foundation Ops | < 9.0.1.0 | 9.0.1.0 |
Prerequisite: SDMP must be enabled and managing VMs with VMware Tools installed.
Technical Details
The vulnerable get_versions.sh script in the Aria Operations SDMP uses regex patterns to find system service binaries for version inventory. The pattern /\S+/(httpd-prefork|httpd|httpd2-prefork) — matching "any non-whitespace path" followed by the binary name — inadvertently matches binaries in user-writable directories like /tmp, /var/tmp, or $HOME.
A low-privilege attacker places a malicious binary named httpd (or another matched name) at /tmp/httpd. When the SDMP discovery cron runs (approximately every 5 minutes), it finds and executes /tmp/httpd with root privileges, granting the attacker full root access to the guest VM.
Key characteristics:
- Only requires local VM access (any unprivileged account)
- SDMP runs automatically on a cron schedule — no attacker interaction needed after binary placement
- Exploitable from inside any guest VM managed by Aria Operations with SDMP enabled
- Attack complexity is Low (AC:L) — finding and writing to
/tmpis trivial
Discovery
NVISO Labs — Maxime Thiebaut — identified forensic indicators during a customer incident response in May 2025. Forensic timeline reconstruction estimated UNC5174 had been exploiting the vulnerability since approximately October 2024 — nearly 12 months as a zero-day.
Exploitation Context
UNC5174 (also tracked as Earth Freybug by Trend Micro), a Chinese state-sponsored APT with nexus to Ministry of State Security (MSS) contractor activities, exploited this vulnerability in targeted attacks against enterprise VMware environments. The approximately 11-month zero-day window allowed significant undetected access. CISA added the vulnerability to the KEV catalog on October 30, 2025.
Remediation
- Apply patches: Aria Operations 8.18.5+, VMware Tools 12.5.4+ or 13.0.5+, Cloud Foundation 9.0.1.0+. Upgrade EOL VMware Tools 11.x to a supported version.
- Disable SDMP if service discovery functionality is not operationally required — this eliminates the attack surface entirely.
- Hunt for suspicious binaries in
/tmp,/var/tmp, and user home directories on all managed VMs namedhttpd,httpd2-prefork,httpd-prefork, and other service binary names matched by SDMP patterns. - Review SDMP discovery logs for unexpected binary execution events across managed guest VMs.
- Assume compromise on VMware environments that were exposed to the internet and managed with SDMP since October 2024 — UNC5174 had a 12-month window.
- Rotate all credentials stored on or accessible from managed VMs, particularly any that could be used for lateral movement within the VMware environment.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-41244 |
| Vendor / Product | Broadcom — VMware Aria Operations and VMware Tools |
| NVD Published | 2025-09-29 |
| NVD Last Modified | 2025-11-06 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-267 find similar ↗ |
| CISA KEV Added | 2025-10-30 |
| CISA KEV Deadline | 2025-11-20 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2024-10-01 | UNC5174 (China nexus) begins exploiting as a zero-day in targeted attacks (estimated from forensic analysis) |
| 2025-05-27 | NVISO Labs discovers forensic indicators during incident response; reports to Broadcom |
| 2025-09-29 | Broadcom releases patches; CVE disclosed; NVISO publishes research |
| 2025-10-30 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2025-11-20 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Broadcom Security Advisory VMSA-2025-0022 | Vendor Advisory |
| NVD — CVE-2025-41244 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| NVISO Labs — You Name It, VMware Elevates It: CVE-2025-41244 | Security Research |
| Ampcus Cyber — UNC5174 Weaponizes VMware CVE-2025-41244 | Security Research |