- CISA added CVE-2025-41244 to KEV, mandating patching by November 20
- The bug enables local privilege escalation via VMware Tools with SDMP enabled
- Chinese group UNC5174 exploited it for espionage targeting Western and Asian institutions
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new Broadcom bug to its Known Exploited Vulnerabilities (KEV) catalog, warning Federal Civilian Executive Branch (FCEB) agencies about in-the-wild abuse.
The bug in question is a local privilege escalation vulnerability affecting VMware Aria Operations and VMWare tools. According to the NVD, a malicious local actor with non-administrative privileges having access to a VM with VMWare Tools installed and managed by Aria Operations with SDMP enabled may exploit it to escalate privileges to root on the same VM.
The bug is tracked as CVE-2025-41244, and was given a severity score of 7.8/10 (high). Those looking for a fix for Windows 32-bit should seek out VMWare Tools 12.4.9, part of VMWare Tools 12.5.4. For Linux, there is a version of open-vm-tools that will be distributed by Linux vendors.
Chinese attackers
By adding it to KEV, CISA gave FCEB agencies a three-week deadline to apply the patch (which was published roughly a month ago) or stop using the vulnerable products entirely. The deadline is November 20.
At the same time, security researchers are saying that the bug was being leveraged by Chinese state-sponsored criminals for roughly a year now. In fact, NVISO claims that a group tracked as UNC5174 has been using it since mid-October 2024, and even released proof-of-concept (POC) code to demonstrate how it could be leveraged, BleepingComputer reports.
According to Google Mandiant, UNC5174 was hired by China’s Ministry of State Security (MSS) to obtain access to US defense contractors, UK government agencies, and different Asian institutions.
In late 2024, Chinese state-sponsored threat actors abused multiple zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices to access French government agencies, as well as numerous commercial entities such as telcos, finance, and transportation organizations. The attacks were attributed to a group tracked as Houken which, researchers claimed, bears many similarities to UNC5174.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
