Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Broadcom VMware Tools and VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), which could be exploited by an attacker to attain
Analysis Summary
# Vulnerability: VMware Tools/Aria Operations Local Privilege Escalation
## CVE Details
- CVE ID: CVE-2025-41244
- CVSS Score: 7.8 (High)
- CWE: Privilege defined with unsafe actions (Implied)
## Affected Systems
- Products: Broadcom VMware Tools, VMware Aria Operations
- Versions: Not explicitly listed, but the context implies affected versions existed prior to the vendor patch release.
- Configurations: Vulnerable when VMware Tools is installed *and* managed by Aria Operations with SDMP enabled.
## Vulnerability Description
The vulnerability is a privilege escalation flaw stemming from an unsafe action allowance within the definition of privileges in Broadcom VMware Tools when managed by Aria Operations with SDMP enabled. A malicious **local actor** with non-administrative privileges on a Virtual Machine (VM) can exploit this to escalate their privileges to **root** on that same VM. Successful exploitation allows unprivileged users to achieve code execution in privileged contexts.
## Exploitation
- Status: Exploited in the wild (Reported as a zero-day exploited since mid-October 2024)
- Complexity: Trivial to exploit (according to NVISO Labs)
- Attack Vector: Local
## Impact
- Confidentiality: Potentially High (Code execution in root context)
- Integrity: Potentially High (Code execution in root context)
- Availability: Potentially High (Code execution in root context)
## Remediation
### Patches
- Patches were released by Broadcom-owned VMware last month (prior to the report date). Specific version numbers are **not provided** in the text.
### Workarounds
- No specific workarounds were detailed in the provided text, though the requirement for specific configurations (Aria Operations managed with SDMP enabled) suggests disabling this feature or isolating access to affected VMs might serve as a temporary measure.
## Detection
- **Indicators of Compromise (IOCs):** Details surrounding the exact payload executed following exploitation of CVE-2025-41244 have been withheld.
- **Detection Methods and Tools:** N/A (Specific detection signatures were withheld). The mention of active exploitation by a China-linked threat actor (UNC5174) suggests threat hunting should focus on lateral movement or unusual local privilege changes on vulnerable hosts.
## References
- Vendor Advisory: Broadcom/VMware (Implied by "The vulnerability was addressed by Broadcom-owned VMware last month")
- CISA KEV: CISA alert mentioning inclusion in the KEV catalog.
- External Report: NVISO Labs discovered the flaw in May and reported activity linked to UNC5174.