← All Posts

VMware Aria Operations and Tools Privilege Escalation Now Exploited in the Wild: Root Access from Any Local User

What Is Happening

A local privilege escalation vulnerability in VMware Aria Operations and VMware Tools is under active exploitation. CVE-2025-41244 allows any non-administrative user with local access to a virtual machine to escalate privileges to root. The vulnerability exists in the Service Discovery and Dependency Mapping (SDMP) feature, which runs with elevated privileges and improperly handles actions from low-privileged processes.

CISA added this vulnerability to its Known Exploited Vulnerabilities catalog on October 30, 2025, confirming active exploitation. The attack requires only local access to a VM running VMware Tools that is managed by Aria Operations with SDMP enabled. This is a common configuration in enterprise VMware environments where operations teams use Aria for infrastructure monitoring and application discovery.

The severity stems from the low barrier to exploitation. Any user account on the guest VM can trigger the vulnerability, no special privileges required. With VMware Tools deployed across most enterprise VM fleets and Aria Operations commonly used for monitoring, the attack surface is substantial. Security researchers at NVISO published technical details on September 29, 2025, and exploitation followed shortly after.

Affected Versions

ProductAffected VersionsStatus
VMware Aria Operations8.0 through 8.18.4Vulnerable
VMware Tools12.5.0 through 12.5.3Vulnerable
VMware Tools13.0.0 through 13.0.4Vulnerable
VMware Cloud Foundation4.0 and laterVulnerable (includes affected components)
VMware Cloud Foundation Operations9.0Vulnerable
Debian Linux 11open-vm-tools packageVulnerable (see Debian advisory)

Patched Versions:

Advisory Reference: Broadcom Security Advisory VMSA-2025-0015. Obtain patches from the Broadcom support portal at support.broadcom.com.

Debian Linux: Patches available via debian-lts-announce. See the October 2025 announcement for open-vm-tools package updates.

What Being on an Affected Version Means

An attacker who has any local user account on a vulnerable VM can execute code as root without any user interaction. The SDMP component runs privileged operations that can be manipulated by unprivileged processes, a classic "privilege defined with unsafe actions" flaw (CWE-267). Once the attacker has root on the guest VM, they control all data and processes within that virtual machine.

The attack path typically starts with compromised credentials for any user account, a phishing attack, or exploitation of a web application running on the VM. From there, the attacker escalates to root and gains access to all data stored on that system. In environments where the VM hosts databases, application servers, or management tools, this means access to credentials, configuration files, and sensitive business data. The attacker can also leverage the compromised VM to pivot laterally, especially if the VM has network access to other internal systems or if VMware Tools provides access to shared folders or clipboard data from the host.

Mitigation Steps

  1. Upgrade VMware Tools immediately to version 12.5.4 (for 12.x installations) or 13.0.5 (for 13.x installations). Deploy across all managed VMs. Download from the Broadcom support portal under VMSA-2025-0015.
  1. Upgrade VMware Aria Operations to version 8.18.5 or later. This addresses the server-side component of the vulnerability.
  1. Disable SDMP on VMs where it is not required. In Aria Operations, navigate to Administration > Management > Service Discovery and disable the feature for VMs that do not need application dependency mapping. This removes the attack surface.
  1. For Debian Linux systems, update the open-vm-tools package to the patched version specified in the debian-lts-announce October 2025 advisory. Run apt update && apt upgrade open-vm-tools.
  1. Audit local user accounts on all VMs. Remove unnecessary local accounts and verify that service accounts use least-privilege configurations. Attackers need only a low-privilege foothold to exploit this vulnerability.
  1. Monitor for privilege escalation indicators. Look for unexpected processes running as root that were spawned by non-root parent processes. On Linux VMs, review auth.log and secure logs for su or sudo activity from unexpected users. Monitor for new cron jobs or systemd services created by non-administrative accounts.
  1. If immediate patching is not possible, restrict network access to Aria Operations management interfaces and disable SDMP as a compensating control until patches can be deployed.

This is a P0 vulnerability with confirmed active exploitation. Patch all affected systems within 24 to 48 hours.

Intelligence sourced from: Tenable Research

Concerned about your exposure?

Find out what's exploitable in your environment.

Request Free Assessment