- CISA added CVE-2025-41244 to KEV, requiring patching by November 20
- Bug allows local privilege escalation via VMware Tools with SDMP enabled
- The Chinese group UNC5174 took advantage of it for espionage directed at Western and Asian institutions.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new Broadcom bug to its catalog of known exploited vulnerabilities (KEV), warning Federal Civil Executive Branch (FCEB) agencies about abuses in the wild.
The bug in question is a local privilege escalation vulnerability that affects VMware Aria Operations and VMWare tools. According to the NVD, a malicious local actor with non-administrative privileges that has access to a virtual machine with VMWare Tools installed and managed by Aria Operations with SDMP enabled can exploit it to escalate privileges to root on the same virtual machine.
The bug is tracked as CVE-2025-41244 and was assigned a severity score of 7.8/10 (High). Those looking for a solution for 32-bit Windows should look into VMWare Tools 12.4.9, part of VMWare Tools 12.5.4. For Linux, there is a version of open-vm-tools that will be distributed by Linux vendors.
Chinese attackers
By adding it to KEV, CISA gave FCEB agencies three weeks to apply the patch (which was released about a month ago) or stop using the vulnerable products altogether. The deadline is November 20.
At the same time, security researchers say the bug has been exploited by Chinese state-sponsored criminals for about a year. In fact, NVISO claims that a group tracked as UNC5174 has been using it since mid-October 2024, and even published proof-of-concept (POC) code to demonstrate how it could be leveraged. beepcomputer information.
According to Google Mandiant, UNC5174 was contracted by China’s Ministry of State Security (MSS) to gain access to US defense contractors, UK government agencies, and different Asian institutions.
In late 2024, Chinese state-sponsored threat actors abused multiple zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices to access French government agencies as well as numerous commercial entities such as telecommunications companies, financial and transportation organizations. The attacks were attributed to a group tracked as Houken that researchers claimed has many similarities to UNC5174.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
