The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw affecting Broadcom VMware Tools and VMware Aria Operations to its KEV catalog, citing reports of active exploitation. The issue is tracked as CVE-2025-41244 and carries a CVSS score of 7.8.
The vulnerability can be exploited to gain root privileges on a vulnerable system. CISA said the flaw involves a privilege defined with unsafe actions and that a malicious local actor with non-administrative privileges who has access to a VM running VMware Tools and managed by Aria Operations with SDMP enabled may escalate privileges to root on that VM.
Broadcom-owned VMware released a fix for the vulnerability last month. NVISO Labs reported that the defect was exploited as a zero-day by unknown actors starting in mid-October 2024 and said it discovered the issue in May during an incident response engagement. NVISO described the flaw as trivial to exploit; details about the exact payloads used in observed attacks have been withheld.
Security firms have attributed the activity to a China-linked actor tracked by Google Mandiant as UNC5174. Researcher Maxime Thiebaut said successful exploitation allows unprivileged users to achieve code execution in privileged contexts such as root, but he also said it was not possible to determine whether UNC5174 intentionally incorporated the zero-day into its toolkit or used it incidentally because of the bug’s trivial exploitability.
CISA also placed a separate critical eval injection vulnerability in XWiki on the KEV list. That defect can allow any guest user to cause arbitrary remote code execution via a specially crafted request to the “/bin/get/Main/SolrSearch” endpoint, and security researchers reported observing attempts to exploit the flaw to deliver a cryptocurrency miner.
Federal Civilian Executive Branch agencies have been directed to apply required mitigations by November 20, 2025.