The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday added a high-severity security flaw impacting Broadcom VMware Instruments and VMware Aria Operations to its Identified Exploited Vulnerabilities (KEV) catalog, following reviews of energetic exploitation within the wild.
The vulnerability in query is CVE-2025-41244 (CVSS rating: 7.8), which may very well be exploited by an attacker to realize root stage privileges on a inclined system.
“Broadcom VMware Aria Operations and VMware Instruments comprise a privilege outlined with unsafe actions vulnerability,” CISA stated in an alert. “A malicious native actor with non-administrative privileges gaining access to a VM with VMware Instruments put in and managed by Aria Operations with SDMP enabled could exploit this vulnerability to escalate privileges to root on the identical VM.”
The vulnerability was addressed by Broadcom-owned VMware final month, however not earlier than it was exploited as a zero-day by unknown menace actors since mid-October 2024, in accordance with NVISO Labs. The cybersecurity firm stated it found the vulnerability earlier this Might throughout an incident response engagement.
The exercise is attributed to a China-linked menace actor Google Mandiant tracks as UNC5174, with NVISO Labs describing the flaw as trivial to use. Particulars surrounding the precise payload executed following the weaponization of CVE-2025-41244 have been presently withheld.
“When profitable, exploitation of the native privilege escalation leads to unprivileged customers attaining code execution in privileged contexts (e.g., root),” security researcher Maxime Thiebaut stated. “We are able to, nevertheless, not assess whether or not this exploit was a part of UNC5174’s capabilities or whether or not the zero-day’s utilization was merely unintentional on account of its trivialness.”
Additionally positioned within the KEV catalog is a essential eval injection vulnerability in XWiki that would allow any visitor person to carry out arbitrary distant code execution via a specifically crafted request to the “/bin/get/Most important/SolrSearch” endpoint. Earlier this week, VulnCheck revealed that it noticed makes an attempt by unknown menace actors to use the flaw and ship a cryptocurrency miner.
Federal Civilian Govt Department (FCEB) businesses are required to use the mandatory mitigations by November 20, 2025, to safe their networks in opposition to energetic threats.
