The Cybersecurity and Infrastructure Safety Company (CISA) has added CVE-2025-41244 to its Recognized Exploited Vulnerabilities catalog. This native privilege escalation flaw impacts Broadcom’s VMware Aria Operations and VMware Instruments, with proof of lively exploitation within the wild.
Safety researchers and officers urge rapid patching to stop potential ransomware and different assaults that might compromise virtualized infrastructures.
The vulnerability, rated as Vital with a CVSSv3 base rating of seven.8, stems from a privilege outlined with an unsafe motion difficulty. It permits a malicious native actor with non-administrative entry to a digital machine (VM) to escalate their privileges to root on the identical VM.
That is significantly dangerous in setups the place VMware Instruments are put in and managed by Aria Operations with Software program-Outlined Administration Platform (SDMP) enabled.
Broadcom confirmed that suspected exploitation has already occurred, heightening considerations for organizations counting on VMware for cloud and on-premises virtualization.
At its core, CVE-2025-41244 exploits improper privilege-handling flaws in VMware Instruments and Aria Operations. A low-privileged person on a compromised VM can leverage this flaw to achieve full administrative management, probably pivoting to broader community entry or information exfiltration.
The assault requires native entry, that means preliminary footholds, similar to by means of phishing or unpatched endpoints, might function entry factors.
Broadcom’s evaluation ties the problem to CWE-267 (Privilege Outlined With Unsafe Actions), emphasizing how seemingly benign configurations can turn into assault surfaces. No workarounds exist, making well timed updates important.
Affected parts embody VMware Instruments variations previous to 12.5.4 and particular Aria Operations releases. For Linux customers, open-vm-tools updates will roll out through distributors, whereas Home windows 32-bit techniques are lined in Instruments 12.4.9 as a part of the 12.5.4 bundle.
CVE IDAffected ProductsCVSSv3 ScoreImpactFixed VersionsExploitation StatusCVE-2025-41244VMware Aria Operations, VMware Tools7.8 (Vital)Native privilege escalation to root on VMTools 12.5.4; Aria Operations patches per matrix; open-vm-tools through vendorsSuspected in-the-wild exploitation; added to CISA KEV catalog
Mitigations
CISA advises making use of vendor patches instantly and following Binding Operational Directive (BOD) 22-01 for federal cloud providers. Organizations unable to patch ought to contemplate discontinuing use of weak merchandise.
This incident underscores the persistent focusing on of virtualization platforms, which energy a lot of at the moment’s hybrid IT landscapes.
Broadcom credited Maxime Thiebaut of NVISO for locating and reporting the flaw, highlighting the position of collaborative safety analysis.
As ransomware campaigns more and more exploit such vulnerabilities, enterprises should prioritize vulnerability administration. With exploitation confirmed, unpatched techniques stay prime targets delaying motion might result in extreme operational disruptions.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
