CISA Mandates Patching of VMware Tools Privilege Escalation Vulnerability Exploited by Chinese Threat Actors
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to urgently patch a high-severity local privilege escalation vulnerability, tracked as CVE-2025-41244, affecting Broadcom's VMware Aria Operations and VMware Tools. This flaw allows attackers with non-administrative access to a virtual machine, when managed by Aria Operations with SDMP enabled, to escalate privileges to root. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog after confirmation that it has been actively exploited in the wild, with exploitation attributed to the Chinese state-sponsored group UNC5174 since October 2024. Federal Civilian Executive Branch agencies have been given a three-week deadline to apply patches, and all organizations are strongly urged to prioritize remediation due to the significant risk posed by this vulnerability.
Broadcom patched CVE-2025-41244 one month prior to CISA's directive, and proof-of-concept code demonstrating exploitation has been publicly released. The vulnerability is considered a frequent attack vector for malicious cyber actors, and CISA's Binding Operational Directive 22-01 requires agencies to apply mitigations or discontinue use if patches are unavailable. While the directive is mandatory for federal agencies, CISA recommends that all organizations, regardless of sector, address the vulnerability immediately to prevent potential compromise of virtualized environments managed by VMware Tools and Aria Operations.
Timeline
Oct 30, 2025
CISA orders federal agencies to remediate by November 20
Under Binding Operational Directive 22-01, CISA required U.S. federal civilian agencies to patch or otherwise remediate the newly added KEV vulnerabilities by November 20, 2025. CISA also urged private organizations to prioritize the fixes.
Oct 30, 2025
CISA adds VMware and XWiki flaws to KEV catalog
CISA added CVE-2025-41244 affecting Broadcom VMware Aria Operations and VMware Tools, along with XWiki Platform flaw CVE-2025-24893, to its Known Exploited Vulnerabilities catalog after confirming in-the-wild exploitation.
Oct 30, 2025
Broadcom releases security update for VMware flaw
Broadcom addressed CVE-2025-41244 in a security update for affected VMware products, including VMware Tools and VMware Aria Operations. The update was released before CISA added the flaw to its Known Exploited Vulnerabilities catalog.
Oct 1, 2024
UNC5174 begins exploiting VMware Tools zero-day
The China-linked threat actor UNC5174 began exploiting CVE-2025-41244, a local privilege escalation flaw in VMware Tools, as a zero-day in active attacks. Reporting indicates this exploitation had been occurring since October 2024.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Sources
Related Stories
CISA Flags Actively Exploited VMware vCenter Server RCE (CVE-2024-37079)
**CISA added CVE-2024-37079, a critical VMware vCenter Server vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog after Broadcom indicated it has evidence of in-the-wild exploitation.** The flaw is a **9.8 CVSS** out-of-bounds write/heap-overflow issue in vCenter Server’s **DCERPC** implementation; an attacker with network access can send specially crafted packets that may result in **remote code execution (RCE)**. CISA’s KEV entry does not attribute exploitation to a specific threat actor and lists ransomware use as **unknown**, but the KEV addition triggers mandatory remediation timelines for US federal agencies. Reporting also noted CISA added multiple other enterprise software issues to KEV in a short span (including vulnerabilities affecting **Versa Concerto** and **Zimbra**, plus developer tools), but the vCenter Server item drew specific attention because it was **patched by Broadcom in 2024** and is still being exploited. Broadcom has not publicly provided details on the scope, victims, or exploitation chain beyond acknowledging observed exploitation, reinforcing the need for organizations running vCenter Server to validate exposure and ensure the relevant updates are deployed.
1 months ago
Broadcom Patches VMware Aria Operations Flaws Enabling RCE During Support-Assisted Migrations
Broadcom issued advisory **VMSA-2026-0001** for **VMware Aria Operations** (formerly *vRealize Operations*), warning of three vulnerabilities affecting Aria Operations and bundled platforms including **VMware Cloud Foundation** and **VMware Telco Cloud**. The most severe issue, **CVE-2026-22719** (CVSS 8.1), is a **command injection** flaw that can be exploited by an **unauthenticated** attacker to execute arbitrary commands and potentially achieve **remote code execution** specifically **while a support-assisted product migration is in progress**. Broadcom released patches and also documented a workaround for CVE-2026-22719 in its response matrix/KB guidance. The advisory also covers **CVE-2026-22720** (CVSS 8.0), a **stored XSS** issue where a user with privileges to create custom benchmarks can inject script to perform administrative actions, and **CVE-2026-22721** (CVSS 6.2), a **privilege escalation** path where a user with vCenter access to Aria Operations can elevate to administrative control. Researchers **Sven Nobis** and **Lorin Lehawany** of **ERNW** were credited with reporting at least part of the findings. Impacted deployments include Aria Operations 8.x and related bundles across Cloud Foundation and Telco Cloud product lines; Broadcom’s fixed versions include updates such as Aria Operations **8.18.6** and Cloud Foundation **9.0.2.0**, and organizations are advised to prioritize upgrades due to the lack of workarounds for the XSS and privilege-escalation issues.
1 months ago
CISA Adds Actively Exploited Qualcomm and VMware Aria Operations Vulnerabilities to KEV Catalog
CISA updated its **Known Exploited Vulnerabilities (KEV) Catalog** to add two CVEs based on evidence of **active exploitation**: **CVE-2026-21385** (Qualcomm *Multiple Chipsets* **memory corruption**) and **CVE-2026-22719** (Broadcom **VMware Aria Operations** command injection). The KEV entry for CVE-2026-22719 notes the issue can allow an **unauthenticated attacker** to execute arbitrary commands, potentially leading to **remote code execution** during *support-assisted product migration*; CVE-2026-21385 is described as a memory corruption flaw related to memory allocation alignment across multiple Qualcomm chipsets. Under **Binding Operational Directive (BOD) 22-01**, Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities by CISA’s specified due dates; the KEV catalog update reflects an increase in total entries (from 1529 to 1531) and sets a remediation due date of **2026-03-24** for CVE-2026-22719. CISA emphasized that while BOD 22-01 applies to FCEB agencies, all organizations should prioritize remediation of KEV-listed vulnerabilities as part of vulnerability management due to their frequent use as attack vectors.
1 months ago