The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw affecting Broadcom VMware Tools and VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog after receiving reports of it being exploited in the wild.
The vulnerability in question, CVE-2025-41244 (CVSS score: 7.8), could be exploited by an attacker to gain root-level privileges on an affected system.
“Broadcom VMware Aria Operations and VMware Tools contain privileges with defined unsafe action vulnerabilities,” CISA said in the alert. “A malicious local attacker with non-administrative privileges who has access to a VM with VMware Tools installed and managed by Aria Operations that has SDMP enabled could exploit this vulnerability to escalate privileges to root on the same VM.”
The vulnerability was addressed by Broadcom’s VMware last month, but had not been addressed since mid-October 2024 before being exploited as a zero-day by an unknown attacker, according to NVISO Labs. The cybersecurity firm said it discovered the vulnerability during an incident response operation in early May of this year.
This activity is believed to be the work of a China-linked threat actor, tracked by Google Mandiant as UNC5174, and NVISO Labs describes the flaw as easy to exploit. Details regarding the exact payload executed after CVE-2025-41244 was weaponized are currently pending.
“A successful local privilege escalation exploit could result in an unprivileged user executing code in a privileged context (such as root),” said security researcher Maxime Thiebaut. “However, we cannot assess whether this exploit was part of the functionality of UNC5174 or whether the use of the zero-day was simply done by chance due to its triviality.”
The KEV catalog also contains a critical XWiki eval injection vulnerability. This vulnerability could allow guest users to execute arbitrary remote code via a specially crafted request to the ‘/bin/get/Main/SolrSearch’ endpoint. Earlier this week, VulnCheck revealed that it had observed attempts by unknown attackers to exploit this flaw to distribute cryptocurrency miners.
Federal civilian executive branch (FCEB) agencies must apply the necessary mitigations by November 20, 2025 to protect their networks from active threats.
Source link
