Skip to main content

On This Page
← AI News
AI News Cybersecurity Vulnerabilities

CISA Alerts on VMware Zero-Day Exploited by China-Linked Hackers

3 min read
Share

These articles are AI-generated summaries. Please check the original sources for full details.

CISA Alerts on VMware Zero-Day Exploited by China-Linked Hackers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical zero-day vulnerability in Broadcom VMware Tools and VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, CVE-2025-41244 (CVSS 7.8), allows attackers to escalate privileges to root on affected systems and has been actively exploited by a China-linked group, UNC5174, since mid-2024. Mitigation measures are mandated for federal agencies by November 20, 2025.

Vulnerability Details

  • CVE Identifier: CVE-2025-41244

    • CVSS Score: 7.8 (High severity)
    • Impact: Enables local privilege escalation to root level, allowing unprivileged users to execute code in privileged contexts.
    • Affected Products:
      • Broadcom VMware Tools
      • VMware Aria Operations (with SDMP enabled)

  • Exploitation Timeline:

    • Discovery: May 2025 (by NVISO Labs during incident response).
    • Patch Release: October 2024 (by VMware).
    • Active Exploitation: Mid-October 2024 to present (as a zero-day).

  • Attack Vector:

    • Requires a non-administrative user with access to a VM running VMware Tools managed by Aria Operations.
    • Exploits unsafe actions in a privilege definition, bypassing standard access controls.

  • Attribution:

    • Linked to UNC5174, a China-associated threat actor tracked by Mandiant.
    • NVISO Labs notes the exploit is “trivial” to execute, though it remains unclear if UNC5174 intentionally weaponized the flaw.

Additional Threats in the KEV Catalog

  • XWiki Eval Injection Vulnerability:

    • CVE: Not explicitly listed, but described as a critical flaw in XWiki.
    • Impact: Allows guest users to execute arbitrary remote code via a crafted request to the /bin/get/Main/SolrSearch endpoint.
    • Observed Activity: Attackers attempted to exploit this to deploy cryptocurrency miners.

  • Mitigation Deadline:

    • Federal Civilian Executive Branch (FCEB) agencies must apply patches by November 20, 2025, to comply with CISA mandates.

Recommendations

  • Immediate Actions for Affected Organizations:

    • Apply the October 2024 VMware patch for CVE-2025-41244.
    • Disable SDMP (Secure Data Management Protocol) in VMware Aria Operations if not required.
    • Monitor for unauthorized root-level activity on VMs.

  • General Cybersecurity Practices:

    • Regularly update software to address known vulnerabilities.
    • Implement least-privilege access controls for users and systems.
    • Conduct threat intelligence analysis to detect indicators of compromise (IOCs) linked to UNC5174.

  • Avoiding Pitfalls:

    • Delaying patching increases exposure to exploitation.
    • Overlooking non-VMware vulnerabilities (e.g., XWiki) may leave systems vulnerable to cryptocurrency mining or data exfiltration.

Reference

https://thehackernews.com/2025/10/cisa-flags-vmware-zero-day-exploited-by.html

Continue reading

Next article

Eclipse Foundation Revokes Leaked Open VSX Tokens Following Wiz Discovery

Related Content

Nov 17, 2025

Fortinet's Silent Flaw Exploited: CVE-2025-64446 Breach Risks Federal Systems

A critical Fortinet vulnerability (CVE-2025-64446, CVSS 9.1) exploited in the wild, forcing federal agencies to patch by November 21, 2025.

Read article
Nov 14, 2025

Now-Patched Fortinet FortiWeb Flaw Exploited in Attacks to Create Admin Accounts

Hackers exploit a hidden FortiWeb flaw to seize admin control before Fortinet’s silent patch.

Read article
Nov 22, 2025

CISA Warns of Actively Exploited Critical Oracle Identity Manager Zero-Day Vulnerability

CISA added CVE-2025-61757, a critical 9.8 CVSS-rated flaw in Oracle Identity Manager, to its KEV catalog due to active exploitation.

Read article