Full Report
On Thursday, CISA warned U.S. government agencies to secure their systems against attacks exploiting a high-severity vulnerability in Broadcom’s VMware Aria Operations and VMware Tools software. Tracked as CVE-2025-41244 and patched one month ago, this vulnerability allows local attackers with non-administrative privileges to a virtual machine (VM) with VMware Tools and managed by Aria Operations with SDMP enabled…
Analysis Summary
# Vulnerability: Privilege Escalation in VMware Aria Operations/Tools
## CVE Details
- CVE ID: CVE-2025-41244
- CVSS Score: [Score not explicitly provided, marked as High Severity] (High)
- CWE: [Not specified in context]
## Affected Systems
- Products: Broadcom’s VMware Aria Operations and VMware Tools software.
- Versions: [Specific vulnerable versions not listed, but prior to the patch released one month ago.]
- Configurations: Requires the target Virtual Machine (VM) to have VMware Tools installed and the associated Aria Operations management to have SDMP enabled.
## Vulnerability Description
This is a local privilege escalation vulnerability. A low-privileged, non-administrative attacker *inside* a virtual machine (VM) can exploit this flaw to escalate their privileges to `root` on that same VM, provided the affected VM is managed by VMware Aria Operations with SDMP enabled.
## Exploitation
- Status: Exploited in the wild (CISA has added it to the KEV catalog, noting ongoing attacks, specifically mentioning Chinese threat actors).
- Complexity: Low (Implied by the context of being exploitable by a local, non-admin user).
- Attack Vector: Local (Requires existing, low-privileged access to the target VM).
## Impact
- Confidentiality: High (Privilege escalation to root allows full access to the host VM's data.)
- Integrity: High (Root access allows modification or destruction of system files.)
- Availability: High (Root access can lead to system downtime or denial of service.)
## Remediation
### Patches
- Patches were made available one month prior to the CISA advisory (October 2025). Agencies are mandated to apply these patches. Specific version numbers are not provided in this summary context.
### Workarounds
- CISA has mandated patching for U.S. Federal Civilian Executive Branch (FCEB) agencies by November 20th (Binding Operational Directive BOD 22-01). No specific workarounds are detailed here, implying patching is the primary required action.
## Detection
- CISA added CVE-2025-41244 to its Known Exploited Vulnerabilities (KEV) catalog.
- Detection should focus on monitoring for signs of privilege escalation attempts originating from low-privileged users within VMs managed by Aria Operations/SDMP.
## References
- Vendor advisories (Broadcom/VMware for CVE-2025-41244, patched one month prior to the advisory).
- CISA KEV Catalog entry for CVE-2025-41244.
- Broadcom/VMware advisory linked via Bleeping Computer (reference link defanged: hxxps://www.bleepingcomputer.com/news/security/broadcom-fixes-high-severity-vmware-nsx-bugs-reported-by-nsa/).