CVE-2025-41244

HIGH KEV

VMware Aria Operations and VMware Tools - Local Privilege Escalation via SDMP

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-41244 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 30, 2025. EIP tracks 3 public exploits from researchers including NULL200OK, rxerium, haspiranti.

AI-analyzed exploit summary This PoC demonstrates a local privilege escalation (LPE) vulnerability by compiling a fake HTTPD binary that escalates privileges to root when executed without arguments. It mimics version flags to appear legitimate.

Description

VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.

Exploits (3)

nomisec WORKING POC 2 stars
by NULL200OK · poc
https://github.com/NULL200OK/CVE-2025-41244

This PoC demonstrates a local privilege escalation (LPE) vulnerability by compiling a fake HTTPD binary that escalates privileges to root when executed without arguments. It mimics version flags to appear legitimate.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Fake_HTTPD/1.0 (simulated)
No auth needed
Prerequisites: Local access to compile and execute the binary
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 1 stars
by rxerium · poc
https://github.com/rxerium/CVE-2025-41244

This repository provides a Nuclei template for detecting CVE-2025-41244, a local privilege escalation vulnerability in VMware Aria Operations and VMware Tools. It does not contain exploit code but offers a scanning method to identify vulnerable systems.

Classification
Scanner 90%
Attack Type
Lpe
Complexity
Trivial
Reliability
Theoretical
Target: VMware Aria Operations and VMware Tools with SDMP enabled
No auth needed
Prerequisites: Local access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by haspiranti · golocal
https://github.com/haspiranti/CVE-2025-41244-PoC

This repository contains a functional privilege escalation exploit for CVE-2025-41244, leveraging Unix domain sockets to establish a bidirectional communication channel between an unprivileged and privileged process, ultimately spawning a shell with elevated permissions.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Unknown (likely a Unix-based system with a vulnerable service)
No auth needed
Prerequisites: Local access to the target system · Presence of a vulnerable service that can be exploited via Unix domain sockets
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (6)

Core 6
Core References

Scores

CVSS v3 7.8
EPSS 0.0761
EPSS Percentile 93.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-10-30
VulnCheck KEV 2025-09-29
ENISA EUVD EUVD-2025-31589
CWE
CWE-267
Status published
Products (9)
debian/debian_linux 11.0
vmware/aria_operations 8.0 - 8.18.5
vmware/cloud_foundation 4.0 - 5.2.2
vmware/cloud_foundation_operations 9.0
vmware/open_vm_tools 13.0.0
vmware/open_vm_tools 11.2.0 - 12.5.4
vmware/telco_cloud_infrastructure 2.2 - 3.0
vmware/telco_cloud_platform 4.0 - 5.0.1
vmware/tools 12.5.0 - 12.5.4
Published Sep 29, 2025
KEV Added Oct 30, 2025
Tracked Since Feb 18, 2026