The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Broadcom VMware Tools and VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild.
The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), which could be exploited by an attacker to attain root level privileges on a susceptible system.
“Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability,” CISA said in an alert. “A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.”
The vulnerability was addressed by Broadcom-owned VMware last month, but not before it was exploited as a zero-day by unknown threat actors since mid-October 2024, according to NVISO Labs. The cybersecurity company said it discovered the vulnerability earlier this May during an incident response engagement.
The activity is attributed to a China-linked threat actor Google Mandiant tracks as UNC5174, with NVISO Labs describing the flaw as trivial to exploit. Details surrounding the exact payload executed following the weaponization of CVE-2025-41244 have been currently withheld.
“When successful, exploitation of the local privilege escalation results in unprivileged users achieving code execution in privileged contexts (e.g., root),” security researcher Maxime Thiebaut said. “We can, however, not assess whether this exploit was part of UNC5174’s capabilities or whether the zero-day’s usage was merely accidental due to its trivialness.”
Also placed in the KEV catalog is a critical eval injection vulnerability in XWiki that could permit any guest user to perform arbitrary remote code execution by means of a specially crafted request to the “/bin/get/Main/SolrSearch” endpoint. Earlier this week, VulnCheck revealed that it observed attempts by unknown threat actors to exploit the flaw and deliver a cryptocurrency miner.
Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary mitigations by November 20, 2025, to secure their networks against active threats.
