VMware Zero-Day Exploited by Hackers

VMware Tools + Aria Ops: a small toggle, a big problem

CISA added CVE-2025-41244 to its KEV list: a Broadcom VMware Tools/Aria Operations vulnerability enabling local privilege escalation to root on VMs where Tools is managed by Aria Operations with SDMP enabled. NVISO says the bug was exploited as a zero-day from mid-October 2024; Mandiant tracks likely China-linked UNC5174. VMware patched last month. Federal agencies must mitigate by 20 November 2025. KEV also added a critical XWiki RCE (eval injection).

CISA has flagged CVE-2025-41244, affecting Broadcom VMware Tools when managed by Aria Operations with SDMP enabled. The issue lets a non-admin user escalate to root on the same VM—bad news for multi-tenant or tightly segmented estates. Patches are available, but the kicker: this was reportedly exploited as a zero-day since October 2024, with activity linked by Mandiant to UNC5174.

Why you should care: local privesc is a classic defence-in-depth failure mode. One compromised low-priv account can suddenly run the show—dump creds, disable agents, and pivot. If your Tools estate is centrally managed with SDMP, patch quickly and check for drift.

Actions today:
• Patch VMware Tools/Aria Operations; verify SDMP settings and scope.
• Threat-hunt for unusual privilege changes or agent tampering on guest VMs.
• Review least-privilege practices on guest OS and hypervisor tooling.
Note that CISA also added a critical XWiki RCE to KEV—patch content platforms too.

Agencies must mitigate by 20 November 2025. Enterprises shouldn’t wait: if a low-priv compromise becomes root in one hop, your MTTD/MTTR won’t save you. Remove the hop.