7.8 CVE-2025-41244

Privilege Escalation

VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.
https://nvd.nist.gov/vuln/detail/CVE-2025-41244

Categories

CWE-267 : Privilege Defined With Unsafe Actions
A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity. Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. Roles have access to dangerous procedures (Accessible entities). Untrusted object/method gets access to clipboard (Accessible entities). Gain privileges using functions/tags that should be restricted (Accessible entities). Traceroute program allows unprivileged users to modify source address of packet (Accessible entities). Bypass domain restrictions using a particular file that references unsafe URI schemes (Accessible entities). Script does not restrict access to an update command, leading to resultant disk consumption and filled error logs (Accessible entities). "public" database user can use stored procedure to modify data controlled by the database owner (Unsafe privileged actions). User with capability can prevent setuid program from dropping privileges (Unsafe privileged actions). Allows attachment to and modification of privileged processes (Unsafe privileged actions). User with privilege can edit raw underlying object using unprotected method (Unsafe privileged actions). Inappropriate actions allowed by a particular role(Unsafe privileged actions). Untrusted entity allowed to access the system clipboard (Unsafe privileged actions). Extra Linux capability allows bypass of system-specified restriction (Unsafe privileged actions). User with debugging rights can read entire process (Unsafe privileged actions). Non-root admins can add themselves or others to the root admin group (Unsafe privileged actions). Users can change certain properties of objects to perform otherwise unauthorized actions (Unsafe privileged actions). Certain debugging commands not restricted to just the administrator, allowing registry modification and infoleak (Unsafe privileged actions).

References

134c704f-9b21-4f2e-91b3-4a467353bcc0

https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/
https://support.broadcom.com/web/ecx/support-content-notification/-/external/...

security@vmware.com

http://support.broadcom.com/group/ecx/support-content-view/-/support-content/...

CPE

cpe	start	end

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
58	Restful Privilege Elevation An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.	High
634	Probe Audio and Video Peripherals The adversary exploits the target system's audio and video functionalities through malware or scheduled tasks. The goal is to capture sensitive information about the target for financial, personal, political, or other gains which is accomplished by collecting communication data between two parties via the use of peripheral devices (e.g. microphones and webcams) or applications with audio and video capabilities (e.g. Skype) on a system.	High
637	Collect Data from Clipboard The adversary exploits an application that allows for the copying of sensitive data or information by collecting information copied to the clipboard. Data copied to the clipboard can be accessed by other applications, such as malware built to exfiltrate or log clipboard contents on a periodic basis. In this way, the adversary aims to garner information to which they are unauthorized. [Find an application that allows copying sensititve data to clipboad] An adversary first needs to find an application that allows copying and pasting of sensitive information. This could be an application that prints out temporary passwords to the screen, private email addresses, or any other sensitive information or data [Target users of the application] An adversary will target users of the application in order to obtain the information in their clipboard on a periodic basic [Follow-up attack] Use any sensitive information found to carry out a follow-up attack	Low
643	Identify Shared Files/Directories on System An adversary discovers connections between systems by exploiting the target system's standard practice of revealing them in searchable, common areas. Through the identification of shared folders/drives between systems, the adversary may further their goals of locating and collecting sensitive information/files, or map potential routes for lateral movement within the network.	Medium
648	Collect Data from Screen Capture An adversary gathers sensitive information by exploiting the system's screen capture functionality. Through screenshots, the adversary aims to see what happens on the screen over the course of an operation. The adversary can leverage information gathered in order to carry out further attacks.	Medium

MITRE

Techniques

id	description
T1113	Screen Capture
T1115	Clipboard Data
T1123	Audio Capture
T1125	Video Capture
T1135	Network Share Discovery
T1513	Screen Capture
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id	description
M1028	Enable Windows Group Policy “Do Not Allow Anonymous Enumeration of SAM Accounts and Shares” security setting to limit users who can enumerate network shares.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee