## https://sploitus.com/exploit?id=0CD46310-0F91-5C94-9EDD-9733C68AF3B6
# CVE-2025-41244 PoC
VMware Aria Operations &1)" VERSIONEND
done
}
```
Excerpt from get-versions.sh (lines 119-124):
```bash
get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)" -v
get_version "/usr/(bin|sbin)/apache\S*" -v
get_version "/\S+/mysqld($|\s)" -V
get_version "\.?/\S*nginx($|\s)" -v
get_version "/\S+/srm/bin/vmware-dr($|\s)" --version
get_version "/\S+/dataserver($|\s)" -v
```
## Theory
The top line `/\S+/httpd($|\s)` is designed to match on the proper installation path, such as `/usr/bin/httpd`. However, if an unprivileged user creates a script in `/tmp/httpd`, a globally writable directory, and runs the process, as long as it has a listening socket (on any interface - even localhost), it will get executed in an elevated context by the VMware Tools script - achieving local privilege escalation. This could enable a malicious user to execute a reverse shell, create a root user, or ultimately any elevated action they choose.
# Proof of Concept
A golang script is executed to create a listening socket. When the `get-versions.sh` script matches the regex expression of `/tmp/[SERVICE]`, it will run the script in an elevated context. When the script is ran in an elevated context, instead of creating a listening socket, it will execute an arbitrary command (e.g., `/bin/bash -i`), obtaining privilege escalation.
# References
https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/