Cyber Resilience

CVE-2025-41244

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 29 September 2025

Published
29 September 2025
Modified
06 November 2025
KEV Added
30 October 2025
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0053 67.6th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-41244 is a high-severity Privilege Defined With Unsafe Actions (CWE-267) vulnerability in Vmware Open Vm Tools. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 32.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability tracked as CVE-2025-41244. The flaw affects virtual machines running VMware Tools that are managed by Aria Operations when SDMP is enabled, allowing a local actor to gain elevated access on the guest operating system. It carries a CVSS 3.1 score of 7.8 and is associated with CWE-267.

A malicious local actor who already possesses non-administrative access to such a VM can exploit the issue to escalate privileges to root on the same virtual machine. The attack requires no user interaction and occurs entirely within the guest environment.

Broadcom security advisory VMSA-2025-0015 and related vendor notices direct customers to apply the updates released for VMware Aria Operations and VMware Tools to remediate the vulnerability along with two companion issues.

EPSS for the CVE rose from a low baseline to a peak of 0.0101, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability…

more

to escalate privileges to root on the same VM.

CWE(s)
KEV Date Added
30 October 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local privilege escalation vulnerability directly enables exploitation for privilege escalation (T1068) from non-admin to root within the VM.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-38352Same product: Debian Debian Linuxboth on KEV
CVE-2026-31431Same product: Debian Debian Linuxboth on KEV
CVE-2025-22225Same product: Vmware Cloud Foundationboth on KEV
CVE-2025-62215Same vendor: Microsoftboth on KEV
CVE-2025-24990Same vendor: Microsoftboth on KEV
CVE-2025-62221Same vendor: Microsoftboth on KEV
CVE-2025-60710Same vendor: Microsoftboth on KEV
CVE-2025-21334Same vendor: Microsoftboth on KEV
CVE-2025-21333Same vendor: Microsoftboth on KEV
CVE-2026-21519Same vendor: Microsoftboth on KEV

Affected Assets

vmware
aria operations
8.0 — 8.18.5
vmware
cloud foundation
4.0 — 5.2.2
vmware
cloud foundation operations
9.0
vmware
open vm tools
13.0.0 · 11.2.0 — 12.5.4
vmware
telco cloud infrastructure
2.2 — 3.0
vmware
telco cloud platform
4.0 — 5.0.1
debian
debian linux
11.0
vmware
tools
12.5.0 — 12.5.4 · 13.0.0.0 — 13.0.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely application of Broadcom's patches for VMware Aria Operations and VMware Tools directly remediates the local privilege escalation vulnerability.

prevent

Least privilege limits non-administrative users' capabilities on the VM, reducing the feasibility and impact of privilege escalation to root.

prevent

Access enforcement mechanisms restrict unauthorized privilege elevations by local actors within the VM despite the vulnerability.

References