CVE-2025-41244 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-09-29

Added to CISA KEV: 2025-10-30 31 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review VM logs for unauthorized privilege escalations, check for suspicious root-level activities, verify system integrity
Immediately update VMware Tools to version 13.0.5.0 or later (13.x) and 12.5.4 or later (12.5.x)
Update VMware Aria Operations to version 8.18.5 or later
Monitor VM access logs for unusual local login patterns and privilege escalation attempts
Implement additional access controls and monitoring for VMs managed by Aria Operations
Patch priority: HIGH due to CISA KEV listing and available exploit code

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-41244 is a critical local privilege escalation vulnerability affecting VMware Aria Operations and VMware Tools ^[1] ^[2].

Overview and Impact

Vulnerability Type: Local Privilege Escalation (LPE) ^[1].
Impact: A successful exploit allows a malicious local actor with non-administrative privileges to escalate their access to root privileges on the affected virtual machine (VM) ^[1].

Exploitation Details

Requirements: The vulnerability requires the attacker to have non-administrative access to a VM that has VMware Tools installed and is managed by VMware Aria Operations with SDMP (Service Discovery Management Protocol) enabled ^[3] ^[1].
Attack Vector: This is a local attack; it does not require network access to the host or external user interaction, provided the attacker already has a foothold on the guest VM ^[1].
Active Exploitation: The vulnerability was identified as being exploited in the wild as a zero-day as early as mid-October 2024 ^[2] ^[6].
Detection: Exploitation can be detected by monitoring for the spawning of uncommon child processes within the guest VM ^[2].

Status and Mitigation

Patch Status: Security updates were published by Broadcom/VMware on September 29, 2025, following the lifting of an embargo ^[2].
Advisory: The vulnerability is addressed in VMSA-2025-0015, which covers multiple vulnerabilities, including CVE-2025-41244, CVE-2025-41245, and CVE-2025-41246 ^[1] ^[5].
CISA Status: Due to its active exploitation in the wild, this vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) catalog ^[4].

Users are strongly advised to apply the patches provided in VMSA-2025-0015 to mitigate this risk ^[5].

Sources

CVE-2025-41244 - Vulnerability Details - OpenCVE
VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privile…
CVE-2025-41244 - Exploits & Severity - Feedly
... NVD published the first details for CVE-2025-41244 ... CVE-2025-41244 is a critical local privilege escalation vulnerability affecting VMware’s guest service discovery features, with zero-day exploitation observed in the wild since mid-October 2024, as identified by NVISO. ... Patches and advis…
CVE-2025-41244 Detail - NVD
A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled ...
NVD - CVE-2025-41244
Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites. ... This CVE record has been marked for NVD enrichment efforts.https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-20…
NVD - CVE-2025-41245
This CVE record is not being prioritized for NVD enrichment efforts due to resource or other concerns. Description. VMware Aria Operations contains an information disclosure vulnerability.http://support.broadcom.com/group/ecx/support-content-view/-/support-content/Security%20Advisories/VMSA-2025-001…
Multiple Vulnerabilities in VMware Aria Operations and VMware ...
THREAT INTELLIGENCE: NVISO indicates the vulnerability CVE-2025-41244 has been exploited in the wild as a zero-day since mid-October 2024 by ...