CISA Alerts on Active Exploitation of VMware Zero-Day by China-Linked Hackers
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a significant security vulnerability affecting Broadcom’s VMware Tools and VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog. This action follows reports of active exploitation of the flaw, identified as CVE-2025-41244, which carries a CVSS score of 7.8. The vulnerability allows attackers to escalate privileges to root on affected systems.
CISA’s alert specifies that Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. This means that a local user with non-administrative privileges, who has access to a virtual machine (VM) with VMware Tools installed and managed by Aria Operations with SDMP enabled, can exploit this flaw to gain root-level access on the same VM.
Broadcom, which owns VMware, addressed this vulnerability in a patch released last month. However, cybersecurity firm NVISO Labs discovered that the flaw had been exploited as a zero-day since mid-October 2024. NVISO Labs identified this during an incident response engagement in May 2025.
The exploitation of CVE-2025-41244 has been attributed to a China-linked threat actor known as UNC5174. NVISO Labs described the vulnerability as trivial to exploit, indicating that even attackers with limited resources could leverage it effectively. Security researcher Maxime Thiebaut noted, When successful, exploitation of the local privilege escalation results in unprivileged users achieving code execution in privileged contexts (e.g., root). However, the exact payloads executed following the exploitation remain undisclosed.
In addition to CVE-2025-41244, CISA has also added a critical eval injection vulnerability in XWiki to the KEV catalog. This flaw allows any guest user to perform arbitrary remote code execution by sending a specially crafted request to the /bin/get/Main/SolrSearch endpoint. Recent reports from VulnCheck have observed attempts by unknown threat actors to exploit this vulnerability to deploy cryptocurrency mining software.
Federal Civilian Executive Branch (FCEB) agencies have been directed to apply the necessary mitigations by November 20, 2025, to protect their networks from these active threats.
