CVE-2025-41244

Опубликовано: 29 сент. 2025

Источник: redhat

CVSS3: 7.8

EPSS Низкий

Описание

VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.

A flaw was found in VMWare open-vm-tools. A malicious actor with non-administrative privileges on a guest Virtual Machine (VM) could exploit this vulnerability to gain root privileges on the VM. The issue lies in the service-discovery plugin logic, which can execute attacker-controlled binaries from writable paths such as /tmp. Exploitation requires the open-vm-tools-sdmp package to be installed and guest service discovery to be enabled.

Отчет

This vulnerability was rated Important because, while it requires local code execution, the exploitation is trivial and leads to full compromise of privileged contexts such as root. The flaw lies in VMware’s service-discovery logic, which can execute attacker-controlled binaries from writable paths like /tmp. An unprivileged user who runs a process with a listening socket can have it invoked by the privileged discovery routine, resulting in arbitrary code execution. Only systems with guest service discovery enabled are affected; those without this feature configured are not exposed. Exploitation requires the service-discovery plugin (open-vm-tools-sdmp) to be installed. Red Hat CoreOS (RHCOS) is not affected, as it only ships the standard open-vm-tools package, which by default, does not include the -sdmp subpackage. Customers concerned about exposure should use the command rpm -q open-vm-tools-sdmp to verify whether the impacted package is present on their systems.

Меры по смягчению последствий

There are two main ways to eliminate the risk of this vulnerability:

Temporary - Disable the guest service discovery features: Disable the servicediscovery plugin in the config or by running the command vmware-toolbox-cmd config set servicediscovery disabled true then restart the system.
More permanent - Uninstall open-vm-tools-sdmp then restart the system.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 7	open-vm-tools	Not affected
Red Hat OpenShift Container Platform 4	rhcos	Not affected
Red Hat Enterprise Linux 10	open-vm-tools	Fixed	RHSA-2025:17429	07.10.2025
Red Hat Enterprise Linux 8	open-vm-tools	Fixed	RHSA-2025:17509	07.10.2025
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	open-vm-tools	Fixed	RHSA-2025:17512	07.10.2025
Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On	open-vm-tools	Fixed	RHSA-2025:17512	07.10.2025
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support	open-vm-tools	Fixed	RHSA-2025:17511	07.10.2025
Red Hat Enterprise Linux 8.6 Telecommunications Update Service	open-vm-tools	Fixed	RHSA-2025:17511	07.10.2025
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions	open-vm-tools	Fixed	RHSA-2025:17511	07.10.2025
Red Hat Enterprise Linux 8.8 Telecommunications Update Service	open-vm-tools	Fixed	RHSA-2025:17510	07.10.2025

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-280

https://bugzilla.redhat.com/show_bug.cgi?id=2397752open-vm-tools: Local privilege escalation in open-vm-tools

EPSS

Процентиль: 63%

0.00436

Низкий

7.8 High

CVSS3

Связанные уязвимости

CVE-2025-41244

CVSS3: 7.8

ubuntu

6 месяцев назад

CVE-2025-41244

CVSS3: 7.8

nvd

6 месяцев назад

CVE-2025-41244

CVSS3: 7.8

debian

6 месяцев назад

VMware Aria Operations and VMware Tools contain a local privilege esca ...

openSUSE-SU-2026:20067-1

suse-cvrf

2 месяца назад

Security update of open-vm-tools

SUSE-SU-2025:03585-1

suse-cvrf

6 месяцев назад

Security update for open-vm-tools

EPSS

Процентиль: 63%

0.00436

Низкий

7.8 High

CVSS3