Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-41244 PoC — VMSA-2025-0015: VMware Aria Operations and VMware Tools updates address multiple vulnerabilities (CVE-2025-41244,CVE-202

Source
https://github.com/haspiranti/CVE-2025-41244-PoC
Associated Vulnerability
Title:VMSA-2025-0015: VMware Aria Operations and VMware Tools updates address multiple vulnerabilities (CVE-2025-41244,CVE-2025-41245, CVE-2025-41246) (CVE-2025-41244)
Description:VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.
Description
VMware Aria Operations < 4.18.5 & VMware Tools - Local Privilege Escalation
Readme
# CVE-2025-41244 PoC
VMware Aria Operations < 4.18.5 & VMware Tools - Local Privilege Escalation

## Background
*Please read the article listed in references to get a more comprehensive and verbose explanation of the vulnerability.*

TL;DR

A shell script within VMware Tools named `get-versions.sh` uses a broad-matching regex pattern (\S) to identify running processes with listening sockets. On matching processes, it executes the process with the respective version flag (-v, --version, etc.) to retrieve the running version of the service. 

Excerpt from get-versions.sh (lines 18-26):
```bash
get_version() {
  PATTERN=$1
  VERSION_OPTION=$2
  for p in $space_separated_pids
  do
    COMMAND=$(get_command_line $p | grep -Eo "$PATTERN")
    [ ! -z "$COMMAND" ] && echo VERSIONSTART "$p" "$("${COMMAND%%[[:space:]]*}" $VERSION_OPTION 2>&1)" VERSIONEND
  done
}
```

Excerpt from get-versions.sh (lines 119-124):
```bash
get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)" -v
get_version "/usr/(bin|sbin)/apache\S*" -v
get_version "/\S+/mysqld($|\s)" -V
get_version "\.?/\S*nginx($|\s)" -v
get_version "/\S+/srm/bin/vmware-dr($|\s)" --version
get_version "/\S+/dataserver($|\s)" -v
```

## Theory
The top line `/\S+/httpd($|\s)` is designed to match on the proper installation path, such as `/usr/bin/httpd`. However, if an unprivileged user creates a script in `/tmp/httpd`, a globally writable directory, and runs the process, as long as it has a listening socket (on any interface - even localhost), it will get executed in an elevated context by the VMware Tools script - achieving local privilege escalation. This could enable a malicious user to execute a reverse shell, create a root user, or ultimately any elevated action they choose.

# Proof of Concept
A golang script is executed to create a listening socket. When the `get-versions.sh` script matches the regex expression of `/tmp/[SERVICE]`, it will run the script in an elevated context. When the script is ran in an elevated context, instead of creating a listening socket, it will execute an arbitrary command (e.g., `/bin/bash -i`), obtaining privilege escalation.

# References
https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/
File Snapshot

 [4.0K]  /data/pocs/e5bc4e5701b06f47eaaad056ae27416a9a3d2029
├── [4.9K]  CVE-2025-41244.go
├── [3.0K]  CVE-2025-41244-original.go
├── [3.0K]  CVE-2025-41244-w-comments.go
└── [2.2K]  README.md

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →