A new high-severity security flaw affecting Broadcom VMware Tools and VMware Aria Operations has been officially added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. This comes after reports emerged of the vulnerability, cataloged as CVE-2025-41244, being actively exploited in the wild by malicious actors.
The vulnerability carries a CVSS score of 7.8, indicating its significant potential for harm. Threat actors who successfully exploit this flaw can gain root-level privileges on vulnerable systems. This elevated access allows for complete control over affected machines, posing a substantial risk to data integrity and operational continuity.
Critical VMware Vulnerability Actively Exploited
CISA’s alert detailed that the vulnerability exists within Broadcom VMware Aria Operations and VMware Tools, specifically related to a privilege defined with unsafe actions. A local attacker with non-administrative access, provided they have access to a virtual machine (VM) with VMware Tools installed and managed by Aria Operations with SDMP enabled, could exploit this weakness.
Successful exploitation enables the attacker to escalate their privileges to root on that same virtual machine. This means a user with limited permissions could effectively become the administrator, capable of executing any command and accessing all data within the compromised VM.
Broadcom, which owns VMware, released a patch for this vulnerability last month. However, prior to this fix, threat actors were already leveraging it as a zero-day vulnerability since mid-October 2024. Cybersecurity firm NVISO Labs reported discovering the flaw earlier in May during an incident response engagement, highlighting its pre-existing presence before being officially addressed.
The exploitation activity has been linked to a China-aligned threat actor that Google Mandiant tracks as UNC5174. NVISO Labs described the vulnerability as exceptionally easy to exploit, a characteristic that likely contributed to its rapid weaponization by attackers. Specific details regarding the payloads used following the exploitation of CVE-2025-41244 have not yet been fully disclosed.
Implications of Privilege Escalation
Security researcher Maxime Thiebaut noted that the local privilege escalation defect allows unprivileged users to achieve code execution within privileged contexts, such as the root user. While unable to definitively confirm if this specific exploit was part of UNC5174’s sophisticated toolkit or if its usage was incidental due to its simplicity, the potential for widespread impact remains significant.
In parallel, CISA also added a critical eval injection vulnerability in XWiki to its KEV catalog. This flaw allows any guest user to execute arbitrary remote code through specially crafted requests targeting the “/bin/get/Main/SolrSearch” endpoint. Earlier in the week, VulnCheck observed attempts by unknown threat actors to exploit this XWiki vulnerability, primarily to deploy cryptocurrency mining software.
Federal Civilian Executive Branch (FCEB) agencies are mandated to implement the necessary security measures to mitigate these active threats by November 20, 2025. This deadline provides a clear timeframe for federal entities to secure their networks against the known exploitation of these vulnerabilities, preventing further compromise.
The addition of CVE-2025-41244 to the KEV catalog signifies its immediate threat to national security and critical infrastructure. Organizations that utilize Broadcom VMware products are strongly advised to review their configurations and apply the available vendor patches to safeguard against potential attacks. The ongoing scrutiny of zero-day exploits and associated threat actor activities underscores the dynamic nature of cybersecurity and the persistent efforts required to maintain robust defenses.