CVE-2025-41244

HighCISA KEVActive ExploitationPublic PoC

Published: 29 September 2025

Published

29 September 2025

Modified

06 November 2025

KEV Added

30 October 2025

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0059 69.4th percentile

Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-41244 is a high-severity Privilege Defined With Unsafe Actions (CWE-267) vulnerability in Vmware Open Vm Tools. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 30.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely application of Broadcom's patches for VMware Aria Operations and VMware Tools directly remediates the local privilege escalation vulnerability.

AC-6 Least Privilege good match

prevent

Least privilege limits non-administrative users' capabilities on the VM, reducing the feasibility and impact of privilege escalation to root.

AC-3 Access Enforcement partial match

prevent

Access enforcement mechanisms restrict unauthorized privilege elevations by local actors within the VM despite the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Local privilege escalation vulnerability directly enables exploitation for privilege escalation (T1068) from non-admin to root within the VM.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability…

to escalate privileges to root on the same VM.

Deeper analysisAI

CVE-2025-41244 is a local privilege escalation vulnerability in VMware Aria Operations and VMware Tools, classified under CWE-267 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Published on September 29, 2025, it allows escalation of privileges within affected virtual machines.

A malicious local actor with non-administrative privileges and access to a VM equipped with VMware Tools, where the Tools are installed and managed by Aria Operations with SDMP enabled, can exploit this vulnerability to elevate their privileges to root on the same VM. The attack requires low complexity and no user interaction, potentially compromising confidentiality, integrity, and availability at a high level.

Broadcom's security advisory VMSA-2025-0015 details updates for VMware Aria Operations and VMware Tools that address CVE-2025-41244 along with CVE-2025-41245 and CVE-2025-41246. Additional references include announcements on the oss-security mailing list, Debian LTS, and a technical analysis from NVISO Labs.

Details

CWE(s): CWE-267
KEV Date Added: 30 October 2025

Affected Products

vmware

aria operations

8.0 — 8.18.5

vmware

cloud foundation

4.0 — 5.2.2

vmware

cloud foundation operations

9.0

vmware

open vm tools

13.0.0 · 11.2.0 — 12.5.4

vmware

telco cloud infrastructure

2.2 — 3.0

vmware

telco cloud platform

4.0 — 5.0.1

debian

debian linux

11.0

vmware

tools

12.5.0 — 12.5.4 · 13.0.0.0 — 13.0.5.0

CVEs Like This One

CVE-2025-38352Same product: Debian Debian Linuxboth on KEV

CVE-2026-31431Same product: Debian Debian Linuxboth on KEV

CVE-2025-22225Same product: Vmware Cloud Foundationboth on KEV

CVE-2025-21418Same vendor: Microsoftboth on KEV

CVE-2025-62215Same vendor: Microsoftboth on KEV

CVE-2025-59230Same vendor: Microsoftboth on KEV

CVE-2026-21533Same vendor: Microsoftboth on KEV

CVE-2025-21333Same vendor: Microsoftboth on KEV

CVE-2025-24983Same vendor: Microsoftboth on KEV

CVE-2025-21335Same vendor: Microsoftboth on KEV

References

http://support.broadcom.com/group/ecx/support-content-view/-/support-content/Security%20Advisories/VMSA-2025-0015--VMware-Aria-Operations-and-VMware-Tools-updates-address-multiple-vulnerabilities--CVE-2025-41244-CVE-2025-41245--CVE-2025-41246-/36149
Permissions Required · security@vmware.com
http://www.openwall.com/lists/oss-security/2025/09/29/10
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://lists.debian.org/debian-lts-announce/2025/10/msg00000.html
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149
Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-41244
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0