CVE-2025-41244: VMware Tools Service Discovery LPE

A skill for analyzing, detecting, and mitigating the untrusted search path vulnerability (CWE-426) in VMware Tools service discovery that allows local privilege escalation.

What this vulnerability is

CVE-2025-41244 is a local privilege escalation vulnerability in VMware Tools/open-vm-tools on Linux. The service discovery component uses permissive regex patterns to match running processes and then executes the matched binary with a version flag. When the regex accepts untrusted paths (e.g.,

/tmp/httpd

), an attacker can place a malicious binary in a writable location and have it executed with elevated privileges.

Key characteristics:

• Impact: Local privilege escalation to root (or privileged discovery account)
• Root cause: Untrusted Search Path (CWE-426) + permissive regex matching
• Affected: open-vm-tools/VMware Tools on Linux, VMware Aria Operations SDMP
• MITRE ATT&CK: T1036.005 (Match Legitimate Name or Location)

When to use this skill

Use this skill when:

• You need to assess if a system is vulnerable to CVE-2025-41244
• You're investigating suspicious vmtoolsd or service discovery activity
• You need to write detection rules for this vulnerability class
• You're hardening VMware Tools installations
• You're analyzing similar regex-driven service discovery patterns in other agents
• You need to understand the exploitation mechanics for defensive purposes

Vulnerability mechanics

How the vulnerable code works

The

get-versions.sh

script in open-vm-tools matches process command lines using broad regex patterns and executes the first token without path validation:

get_version() {
  PATTERN=$1
  VERSION_OPTION=$2
  for p in $space_separated_pids
  do
    COMMAND=$(get_command_line $p | grep -Eo "$PATTERN")
    [ ! -z "$COMMAND" ] && echo VERSIONSTART "$p" "$("${COMMAND%%[[:space:]]*}" $VERSION_OPTION 2>&1)" VERSIONEND
  done
}

Vulnerable patterns (from the actual script):

get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)(\$|\s)" -v
get_version "/usr/(bin|sbin)/apache\S*" -v
get_version "/\S+/mysqld(\$|\s)" -V
get_version "\.?/\S*nginx(\$|\s)" -v
get_version "/\S+/srm/bin/vmware-dr(\$|\s)" --version
get_version "/\S+/dataserver(\$|\s)" -v

The

\S

(non-whitespace) pattern accepts any path, including

/tmp/httpd

or

./nginx

.

Why this is dangerous

1. No path validation: Any matching process path is executed
2. Privileged execution: The discovery script runs as root or privileged user
3. World-writable locations: Attackers can stage binaries in

   /tmp

   ,

   ./

   , etc.
4. Automatic triggering: Discovery runs on a schedule (~5 minutes)

Detection

Process tree indicators

Look for suspicious children of vmtoolsd or get-versions.sh:

# Check for non-system paths being executed by discovery scripts
ps -ef --forest | grep -E "(vmtoolsd|get-versions)" | grep -E "(/tmp/|/home/|/var/tmp/|/dev/shm/)"

# Look for suspicious process ancestry
ps -ef --forest | grep -E "(httpd|nginx|mysqld)" | grep -v "/usr/"

File system artifacts

Credential-based mode (Aria SDMP):

# Check for SDMP wrapper scripts
ls -la /tmp/VMware-SDMP-Scripts-*/

# Look for execution of non-system paths in scripts
grep -r "/tmp/" /tmp/VMware-SDMP-Scripts-*/ 2>/dev/null

Credential-less mode:

# Check get-versions.sh for vulnerable patterns
grep -E '\\S' /usr/lib/vmware-tools/services/plugins/serviceDiscovery/get-versions.sh

Log-based detection

Hunting queries:

• Uncommon children of vmtoolsd:

  /tmp/httpd

  ,

  ./nginx

  ,

  /tmp/mysqld

• Execution of non-system absolute paths by discovery scripts
• File creation in

  /tmp/

  with daemon names (httpd, nginx, mysqld, dataserver)

Syslog/audit rules:

# Alert on vmtoolsd executing from non-system paths
-a always,exit -F arch=b64 -S execve -F a0=/tmp/* -k vmtoolsd-suspicious
-a always,exit -F arch=b64 -S execve -F a0=/var/tmp/* -k vmtoolsd-suspicious

Mitigation

Immediate actions

1. Patch: Apply Broadcom/VMware updates for CVE-2025-41244
2. Disable credential-less discovery where feasible
3. Restrict /tmp permissions:

   chmod 1777 /tmp  # Ensure sticky bit is set
   # Consider mounting /tmp as noexec
   mount -o remount,noexec /tmp
   

Long-term hardening

1. Validate trusted paths: Modify discovery scripts to only execute from allowlisted directories:

   # Safe pattern - strict allowlist
   candidate=$(get_command_line "$pid" | awk '{print $1}')
   case "$candidate" in
     /usr/sbin/nginx|/usr/sbin/httpd|/usr/sbin/apache2|/usr/bin/mysqld)
         "$candidate" -v 2>&1 ;;
     *)
         : # ignore non-allowlisted paths
         ;;
   esac
   

2. Avoid permissive regexes: Replace

   \S

   with explicit, anchored paths

3. Drop privileges: Run discovery helpers with minimal privileges

4. Sandbox: Use seccomp/AppArmor to restrict system calls

5. File integrity monitoring: Monitor get-versions.sh and VMware Tools plugins

Detection policy recommendations

# Alert when privileged collectors execute from non-system prefixes
# Regex: ^/(tmp|home|var/tmp|dev/shm)/

# Monitor for:
# - vmtoolsd spawning processes from /tmp/
# - get-versions.sh executing non-system paths
# - New executables in /tmp/ with daemon names

Scripts

Use the bundled scripts for automated detection and remediation:

• scripts/check_vulnerability.sh

  - Check if a system is vulnerable

• scripts/detect_suspicious_execution.sh

  - Detect active exploitation

• scripts/harden_vmtools.sh

  - Apply hardening recommendations

Run these scripts with appropriate privileges and review the output carefully.

Related vulnerabilities

This vulnerability pattern (regex-driven service discovery abuse) may exist in other monitoring agents and discovery tools. Look for:

• Process enumeration with listening sockets
• Regex-based command line matching with

  \S

  or similar permissive patterns
• Execution of matched paths without validation
• Privileged execution context

References

• NVISO – You name it, VMware elevates it (CVE-2025-41244)
• Broadcom advisory for CVE-2025-41244
• open-vm-tools – serviceDiscovery/get-versions.sh
• MITRE ATT&CK T1036.005
• CWE-426: Untrusted Search Path