Cybersecurity Alert: Critical Vulnerability in VMware Affects Many Systems
Overview of the Vulnerability
On October 31, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged a serious security flaw affecting Broadcom’s VMware Tools and VMware Aria Operations. This vulnerability, tracked as CVE-2025-41244, has a CVSS score of 7.8, indicating its high severity and potential for exploitation. Recent reports point to its active use in cyberattacks, making it a priority for organizations to address.
How the Exploit Works
CISA’s alert detailed that the vulnerability stems from a privilege escalation flaw characterized as having “unsafe actions.” Essentially, a local attacker with limited privileges on a virtual machine (VM) could exploit this weakness to gain root access. Specifically, if a malicious actor has access to a VM with VMware Tools installed and managed by Aria Operations, they could elevate their privileges significantly.
Background on the Exploit
Broadcom-controlled VMware patched this vulnerability last month. However, it had already been exploited since at least mid-October 2024 by unidentified threat actors, as found by cybersecurity firm NVISO Labs. This vulnerability was initially discovered during an incident response project earlier this year.
Attribution to Threat Actors
The malicious activity linked to this exploit has been associated with a China-based threat group known as UNC5174, which is monitored by Google Mandiant. NVISO Labs described the vulnerability as relatively straightforward to exploit, though specific details regarding the payloads used during these attacks have not been disclosed.
Implications of the Exploit
When executed successfully, this exploit allows unprivileged users to execute code within privileged contexts, such as gaining root access. According to cybersecurity researcher Maxime Thiebaut, “We cannot definitively ascertain if this exploit was a deliberate part of UNC5174’s strategy or if its usage was merely coincidental, given its ease of exploitation.”
Additional Vulnerabilities in the KEV Catalog
Alongside the VMware vulnerability, CISA has also added a critical evaluation injection vulnerability in XWiki to its Known Exploited Vulnerabilities (KEV) catalog. This flaw could enable any guest user to perform remote code executions through a specially crafted request sent to the “/bin/get/Main/SolrSearch” endpoint. Recent findings by VulnCheck have indicated attempts by threat actors to leverage this flaw for deploying cryptocurrency miners.
Mitigation Requirements for Federal Agencies
As part of CISA’s guidelines, all Federal Civilian Executive Branch (FCEB) agencies must implement necessary security measures by November 20, 2025. These actions are essential to protect their networks from the ongoing threats posed by these vulnerabilities.
Conclusion
With cybersecurity threats becoming more sophisticated and prevalent, organizations using VMware products must prioritize patching their systems against CVE-2025-41244. Staying informed about potential vulnerabilities and timely mitigation can significantly reduce the risk of successful cyberattacks.
