CVE-2025-41244

Overview

CVE-2025-41244 is a local privilege escalation vulnerability affecting VMware Tools and VMware Aria Operations. The flaw exists in the get-versions.sh script used by the serviceDiscovery plugin, which employs overly broad regular expressions that can match non-system binaries.

Technical Details

The vulnerability stems from regex patterns using the \S character class (matching any non-whitespace character). As noted in the documentation, this "matches non-system binaries (e.g., /tmp/httpd)" rather than restricting matches to legitimate system locations.

Vulnerable regex patterns include:

/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)
/usr/(bin|sbin)/apache\S*
/\S+/mysqld($|\s)
\.?/\S*nginx($|\s)

Affected Products

VMware Cloud Foundation 4.x, 5.x, 9.x.x.x, 13.x.x.x
VMware vSphere Foundation 9.x.x.x, 13.x.x.x
VMware Aria Operations 8.x
VMware Tools 11.x.x, 12.x.x, 13.x.x
VMware Telco Cloud Platform/Infrastructure versions

Exploitation Requirements

serviceDiscovery must be installed
A malicious binary matching the regex pattern (e.g., /tmp/httpd)
The binary must appear as a network service
Service Discovery runs every 5 minutes, triggering automatic checks

Proof of Concept

The provided Go code demonstrates the exploit by creating a listener that appears as a network service, then establishing a connection when the privileged process executes the version check script.

Detection

Check for serviceDiscovery installation:

N/ABASH

dpkg -l | grep vm-tools

Verify installation directory:

N/A

/usr/lib/x86_64-linux-gnu/open-vm-tools/serviceDiscovery/scripts/get-versions.sh

██╗ ██████╗ ███████╗██╗███████╗███╗ ██╗██████╗ ██║██╔═══██╗██╔════╝██║██╔════╝████╗ ██║██╔══██╗ ██║██║ ██║█████╗ ██║█████╗ ██╔██╗ ██║██║ ██║ ██║██║ ██║██╔══╝ ██║██╔══╝ ██║╚██╗██║██║ ██║ ██║╚██████╔╝██║ ██║███████╗██║ ╚████║██████╔╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═══╝╚═════╝