CISA has issued a serious warning after adding a new VMware vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which affects Broadcom VMware Tools and VMware Aria Operations, is currently being actively exploited by China-linked hackers in real-world attacks.
The flaw, identified as CVE-2025-41244, carries a CVSS score of 7.8, marking it as a high-severity vulnerability. It allows attackers to gain root-level privileges — the highest level of access on a system — which can lead to full control over the affected virtual machine (VM).
According to CISA’s alert, the issue lies in the way VMware Tools and Aria Operations handle certain privilege definitions. In simple terms, the software contains a “privilege defined with unsafe actions” vulnerability. This means that a local attacker — someone who already has access to a VM but with limited permissions — could exploit the flaw to escalate their privileges and execute code with root access.
CISA’s statement explained:
“A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.”
Cybersecurity firm NVISO Labs revealed that it first discovered this vulnerability in May 2024 during an incident response engagement. However, before VMware (now owned by Broadcom) could issue a patch, hackers had already begun exploiting it as a zero-day vulnerability in mid-October 2024.
Zero-day vulnerabilities are particularly dangerous because they are exploited before the affected vendor releases a fix, leaving organizations exposed with no immediate protection.
NVISO Labs noted that the flaw was easy to exploit and attributed the malicious activity to a China-linked advanced persistent threat (APT) group that Google Mandiant tracks as UNC5174.
While details about the payload — or what the attackers executed after exploiting the flaw — are currently being withheld for security reasons, experts warn that the exploit could allow attackers to run arbitrary code as root, potentially compromising entire virtual environments.
Security researcher Maxime Thiebaut commented:
“When successful, exploitation of the local privilege escalation results in unprivileged users achieving code execution in privileged contexts, such as root. We cannot confirm whether this exploit was part of UNC5174’s established capabilities or simply an opportunistic use of an easy flaw.”
Along with the VMware zero-day, CISA also added a critical eval injection vulnerability in XWiki to its KEV catalog. This issue allows any unauthenticated user — even a guest — to execute arbitrary remote code by sending a specially crafted request to the “/bin/get/Main/SolrSearch” endpoint.
According to security firm VulnCheck, attackers have already been seen trying to exploit this XWiki vulnerability to deploy cryptocurrency miners, which use compromised systems to generate digital currency for attackers.
CISA has ordered all Federal Civilian Executive Branch (FCEB) agencies to apply patches or necessary mitigations for both vulnerabilities by November 20, 2025. The directive ensures that federal networks are protected from ongoing exploitation attempts and aligns with CISA’s broader strategy to mitigate known exploited threats that put critical infrastructure and sensitive data at risk.
The agency’s decision to add CVE-2025-41244 to its KEV list highlights the growing concern around zero-day exploitation targeting widely used enterprise software like VMware. Once a vulnerability enters the KEV catalog, it signals that it is actively being weaponized by threat actors, making prompt patching a top priority for both public and private organizations.
VMware software is used by thousands of organizations worldwide to manage virtualized IT environments, including government systems, financial institutions, and cloud service providers. A local privilege escalation flaw like this can give attackers the ability to:
Execute malicious code as root.
Install additional malware or backdoors.
Intercept sensitive data.
Move laterally across virtualized environments.
For attackers like the UNC5174 group, exploiting vulnerabilities in widely deployed enterprise tools provides a powerful foothold for espionage, data theft, and long-term persistence.
To mitigate risk, organizations should:
Immediately apply VMware’s latest security updates for Tools and Aria Operations.
Restrict local access to virtual machines where possible.
Enable monitoring and detection tools that can identify unusual privilege escalation activity.
Review CISA’s KEV catalog regularly and prioritize patching those vulnerabilities first.
As the exploitation of VMware and XWiki vulnerabilities shows, zero-day threats remain a major challenge for enterprises. Maintaining timely patching and strong access control policies is essential to defending against attackers who are increasingly exploiting trusted software to gain entry into critical systems.
Interesting Article : CISA Warns of Active Exploits Targeting Dassault and XWiki Systems
Pingback: CVE-2025-5397: Hackers Exploit Jobmonster WordPress Theme to Gain Admin Access