Critical Zero-Day in VMware Tools and Aria: What You Need to Know

A major zero-day vulnerability has surfaced in VMware Tools and VMware Aria Operations, sending shockwaves through the cybersecurity world. Disclosed on October 1, 2025, the flaw is already being exploited in the wild and poses serious risks to organizations running VMware's virtualization environments.

The Vulnerability Explained

The flaw, now tracked as CVE-2025-41244, carries a CVSS 3.1 score of 7.8, categorizing it as high severity. In simple terms, it allows an attacker with low-level privileges to escalate to root access—essentially giving them full control over the system.

The problem lies within VMware's service discovery features, specifically:

Credential-less discovery (inside VMware Tools installed on guest VMs).

Legacy credential-based discovery (inside VMware Aria Operations).

Security researchers confirmed the vulnerability also impacts open-vm-tools, the open-source version of VMware Tools shipped with most major Linux distributions.

How the Exploit Works

The root cause is an untrusted search path weakness in a script called get-versions.sh. This script is supposed to identify service versions running on a VM, but it uses overly broad regular expressions.

For example, instead of only detecting the real Apache web server binary, it might also pick up a malicious file named httpd in a user-writable directory like /tmp. If an attacker drops a fake binary in that directory, the VMware service discovery process will execute it with root privileges—handing the attacker full system control.

Even more concerning, the discovery process runs automatically every five minutes, giving attackers repeated opportunities to exploit the weakness

Who's Behind the Exploits?

Evidence points to UNC5174, a China-linked threat actor known for using public exploits as part of its operations. They've already been spotted leveraging this vulnerability in live attacks

Affected Products

Broadcom's advisory lists a wide range of VMware products at risk, including:

VMware Cloud Foundation Operations (9.x.x.x)

VMware Tools (11.x, 12.x, 13.x)

VMware Aria Operations (versions 2.x through 8.x)

VMware Telco Cloud Platform and Infrastructure

In other words, if your organization is running VMware-based workloads, there's a good chance something in your stack is affected.

Patches and Mitigations

Broadcom has already released security patches, and organizations are strongly urged to update immediately. Fixed versions include:

VMware Tools 13.0.5.0, 12.5.4

VMware Aria Operations 8.18.5

VMware Cloud Foundation Operations 9.0.1.0

Patch KB92148 for Cloud Foundation 4.x environment

For those unable to patch right away, temporary measures include:

Restricting local VM user privileges.

Limiting access to Aria Operations consoles.

Monitoring for suspicious child processes spawned by vmtoolsd or get-versions.sh.

In credential-based setups, forensic traces may be left behind in /tmp/VMware-SDMP-Scripts-{UUID}/ directories.

Indicators of Compromise (IoCs)

While a complete analysis is still underway, early IoCs tied to UNC5174's operations include:

Domains

gooogleasia[.]com (note the fake spelling)

sex666vr[.]com

IP Addresses:

188[.]114[.]97[.]3

34[.]131[.]20[.]34

34[.]150[.]33[.]237

34[.]92[.]255[.]51

34[.]96[.]239[.]183

Admins are advised to check network logs for connections to these endpoints.

Why This Matters

VMware sits at the heart of many enterprises, powering critical workloads, cloud environments, and telco infrastructure. A flaw like this—where even a low-privileged attacker can escalate to root—could be catastrophic if left unpatched.

For now, the best course of action is clear: patch immediately, monitor for suspicious behavior, and audit your VMware environments.