There’s a new vulnerability making waves in the VMware ecosystem, and it’s not just theoretical. A China-linked threat group known as UNC5174 has been caught exploiting a zero-day privilege escalation flaw in VMware Tools and Aria Operations… in the wild… since October 2024.
What makes it even more interesting? The exploit hinges on regex.
Yes, that thing developers use to validate email addresses is now being used to gain root access on cloud systems.
CVE-2025-41244 – From Regex to Root
At the heart of the issue is CVE-2025-41244, a local privilege escalation vulnerability (CVSS 7.8) that affects a long list of VMware products, including:
- VMware Tools (11.x, 12.x, 13.x on Windows and Linux)
- VMware Aria Operations 8.x
- VMware Cloud Foundation and vSphere Foundation (multiple versions)
- Telco Cloud Infrastructure and Platform (various versions)
The flaw resides in a function named get_version(), which uses regex patterns to identify system binaries and query their version. But here’s the catch: the regex isn’t picky.
get_version() {
PATTERN=$1
VERSION_OPTION=$2
for p in $space_separated_pids
do
COMMAND=$(get_command_line $p | grep -Eo "$PATTERN")
[ ! -z "$COMMAND" ] && echo VERSIONSTART "$p" "$("${COMMAND%%[[:space:]]*}" $VERSION_OPTION 2>&1)" VERSIONEND
done
}
Instead of matching only trusted binaries like /usr/bin/httpd, the pattern matches any non-whitespace path, including user-writable directories like /tmp/httpd.
And that’s exactly where UNC5174 decided to get creative.
The Exploit Path: /tmp/httpd to Root
Once attackers gain a foothold on a VM (via phishing, supply chain, or any initial access vector), they can:
- Drop a malicious binary in /tmp and name it something system-like, such as httpd.
- Ensure the binary opens a listening socket.
- Wait for Aria Operations (with SDMP enabled) to scan running processes.
- Let get_version() do the rest—detecting the binary, executing it, and granting root access.
Simple. It works. And it’s really, really quiet. Researchers at NVISO Labs say that’s exactly what UNC5174 did, using a binary in /tmp/httpd that created a privileged shell without raising any alarms. And what about the payload? We’re still in the dark about that. The impact? Clear: root access on Linux VMs.
get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)" -v get_version "/usr/(bin|sbin)/apache\S*" -v get_version "/\S+/mysqld($|\s)" -V get_version "\.?/\S*nginx($|\s)" -v get_version "/\S+/srm/bin/vmware-dr($|\s)" --version get_version "/\S+/dataserver($|\s)" -v
A Misused Feature, Not a Buggy Buffer
This isn’t your classic memory corruption or buffer overflow. This is a design flaw, a good idea gone wrong.
“The broad use of the \S regex character class allows matching non-system binaries,” explained NVISO’s Maxime Thiebaut, who discovered the bug during an incident response in May 2025. “Unprivileged users can stage fake binaries in world-writable directories, leading to unexpected code execution.”
Translation? Regex + lazy pattern matching = root access.
Not Just Theoretical – Real Attacks Confirmed
What makes this story different from most CVE disclosures is that exploitation is confirmed. NVISO tracked live attacks by UNC5174 leveraging this exact flaw, months before a patch was available.
While Broadcom didn’t initially acknowledge active exploitation, the behavior matches known tactics from this group: exploit a flaw, escalate access, and embed deeply.
“We don’t know if this was a custom, built exploit or just an accidental discovery, but it worked, and it was used” added Thiebaut.
