Oct 31, 2025Ravie LakshmananVulnerability / Cyber Assault
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday added a high-severity safety flaw impacting Broadcom VMware Instruments and VMware Aria Operations to its Identified Exploited Vulnerabilities (KEV) catalog, following stories of energetic exploitation within the wild.
The vulnerability in query is CVE-2025-41244 (CVSS rating: 7.8), which may very well be exploited by an attacker to achieve root stage privileges on a prone system.
“Broadcom VMware Aria Operations and VMware Instruments comprise a privilege outlined with unsafe actions vulnerability,” CISA mentioned in an alert. “A malicious native actor with non-administrative privileges getting access to a VM with VMware Instruments put in and managed by Aria Operations with SDMP enabled could exploit this vulnerability to escalate privileges to root on the identical VM.”
The vulnerability was addressed by Broadcom-owned VMware final month, however not earlier than it was exploited as a zero-day by unknown menace actors since mid-October 2024, based on NVISO Labs. The cybersecurity firm mentioned it found the vulnerability earlier this Might throughout an incident response engagement.
The exercise is attributed to a China-linked menace actor Google Mandiant tracks as UNC5174, with NVISO Labs describing the flaw as trivial to use. Particulars surrounding the precise payload executed following the weaponization of CVE-2025-41244 have been at the moment withheld.
“When profitable, exploitation of the native privilege escalation ends in unprivileged customers attaining code execution in privileged contexts (e.g., root),” safety researcher Maxime Thiebaut mentioned. “We will, nonetheless, not assess whether or not this exploit was a part of UNC5174’s capabilities or whether or not the zero-day’s utilization was merely unintentional attributable to its trivialness.”
Additionally positioned within the KEV catalog is a essential eval injection vulnerability in XWiki that might allow any visitor person to carry out arbitrary distant code execution by the use of a specifically crafted request to the “/bin/get/Major/SolrSearch” endpoint. Earlier this week, VulnCheck revealed that it noticed makes an attempt by unknown menace actors to use the flaw and ship a cryptocurrency miner.
Federal Civilian Government Department (FCEB) businesses are required to use the required mitigations by November 20, 2025, to safe their networks towards energetic threats.
