CVE-2025-41244

Local Privilege Escalation through VMware Tools and/or VMware Aria Operations due to bad regexp in the serviceDiscovery get-version.sh script.

get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)" -v
get_version "/usr/(bin|sbin)/apache\S*" -v
get_version "/\S+/mysqld($|\s)" -V
get_version "\.?/\S*nginx($|\s)" -v
get_version "/\S+/srm/bin/vmware-dr($|\s)" --version
get_version "/\S+/dataserver($|\s)" -v

The usage of the broad‑matching \S character class (matching non‑whitespace characters) in several of the regex patterns also matches non-system binaries (e.g., /tmp/httpd). Target system must have serviceDiscovery installed which can be found by running dpkg -l | grep vm-tools or browsing the directory /usr/lib/x86_64-linux-gnu/open-vm-tools/ and look for ./serviceDiscovery/scripts/get-versions.sh.

Service Discovery runs once every 5 minutes.

Vulnerable versions

  • VMware Cloud Foundation 4.x and 5.x

  • VMware Cloud Foundation 9.x.x.x

  • VMware Cloud Foundation 13.x.x.x (Windows, Linux)

  • VMware vSphere Foundation 9.x.x.x

  • VMware vSphere Foundation 13.x.x.x (Windows, Linux)

  • VMware Aria Operations 8.x

  • VMware Tools 11.x.x, 12.x.x, and 13.x.x (Windows, Linux)

  • VMware Telco Cloud Platform 4.x and 5.x

  • VMware Telco Cloud Infrastructure 2.x and 3.x

Requirements

  • serviceDiscovery must be installed

  • Binary name must match regexp check in get-version.sh e.g. /tmp/httpd

  • Binary must appear as a network service

PoC || GTFO

Vulnerable system:

Non-vulnerable system, manual poc:

Source code

Install Service Discovery

After installing and restarting the service locally you may need to configure the Service Discovery adapter in your VMware management tool, such as vRealize Operations, to start collecting. Only then will the exploit trigger automatically.

Full blog post here: https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/

Last updated

Was this helpful?