Ethical Hacking News
US agencies are being warned about an active exploitation of a zero-day vulnerability in VMware's Aria Operations and VMware Tools, which has been attributed to a China-linked threat actor. The vulnerability allows attackers to escalate privileges to root level on susceptible systems, making it essential for organizations to patch and update their systems as soon as possible.
CISA has issued a warning about an active exploitation of a zero-day vulnerability in VMware's Aria Operations and VMware Tools. The vulnerability, CVE-2025-41244, allows attackers to escalate privileges to root level on susceptible systems. Unknown threat actors have taken advantage of the zero-day exploit, attributed to a China-linked threat actor known as UNC5174. CISA recommends that Federal Civilian Executive Branch (FCEB) agencies apply necessary mitigations by November 20, 2025. Organizations are urged to patch and update their systems immediately to prevent exploitation of these vulnerabilities.
The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about an active exploitation of a zero-day vulnerability in VMware's Aria Operations and VMware Tools. The vulnerability, identified as CVE-2025-41244, has been found to be trivially exploitable by attackers, allowing them to escalate privileges to root level on susceptible systems.
The vulnerability was discovered earlier this year by security researcher Maxime Thiebaut during an incident response engagement with NVISO Labs. However, the vulnerability remained unaddressed for several months before it was finally patched by Broadcom-owned VMware last month. During this time, unknown threat actors took advantage of the zero-day exploit, which has been attributed to a China-linked threat actor known as UNC5174.
According to CISA, the vulnerability allows an attacker with non-administrative privileges to exploit it and escalate their privileges to root level on the same system. This could potentially allow attackers to execute arbitrary code in privileged contexts, such as the root user.
The exploitation of this vulnerability results in unprivileged users gaining code execution in privileged contexts (e.g., root). Security researcher Maxime Thiebaut noted that while the exploit is trivially exploitable, it's unclear whether it was part of UNC5174's capabilities or simply a coincidence due to its trivialness.
In addition to the VMware vulnerability, CISA has also identified another critical eval injection vulnerability in XWiki. This vulnerability could allow any guest user to perform arbitrary remote code execution by means of a specially crafted request to the "/bin/get/Main/SolrSearch" endpoint. Earlier this week, VulnCheck revealed that it observed attempts by unknown threat actors to exploit the flaw and deliver a cryptocurrency miner.
Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary mitigations by November 20, 2025, to secure their networks against active threats. It's essential for organizations to prioritize patching and updating their systems as soon as possible to prevent exploitation of these vulnerabilities.
The discovery of this vulnerability highlights the importance of staying informed about newly discovered security flaws and keeping up-to-date with the latest patches and updates. As threat actors continue to evolve and find new ways to exploit vulnerabilities, it's crucial for organizations to be proactive in protecting themselves against these threats.
In light of this warning, we urge all organizations to take immediate action to patch and update their systems, particularly those that use VMware Aria Operations or VMware Tools. By doing so, they can significantly reduce the risk of falling victim to this zero-day exploit and other potential security threats.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Warns-of-Active-Exploitation-of-VMware-Zero-Day-Vulnerability-ehn.shtml
https://thehackernews.com/2025/10/cisa-flags-vmware-zero-day-exploited-by.html
https://nvd.nist.gov/vuln/detail/CVE-2025-41244
https://www.cvedetails.com/cve/CVE-2025-41244/
Published: Fri Oct 31 10:20:09 2025 by llama3.2 3B Q4_K_M
