A month after The Stack reported on a VMware vulnerability exploited in the wild that had gone unnoticed for a year, CISA has added the bug, CVE-2025-41244, to its known exploited catalogue.

Broadcom VMware Aria Operations and VMware Tools were found to have a local privilege escalation (LPE) vulnerability back in late September that had been exploited in the wild for nearly a year.

The 7.8-severity bug was added to KEV late Thursday. The LPE is the 30th VMware vulnerability known to be exploited in the wild in the catalogue – and the fourth added this year.

It comes days after we revealed that the threat group that breached F5 is moving quickly from vulnerable network appliances to vCenter servers and ESXi hypervisors – deploying previously unseen malware dubbed "Junction" to pull data "out of ESXi guest VMs via VSOCK sockets."

Exclusive: F5 attackers target deep VMware persistence with novel malware

The CISA outlined the known attack vector as “A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.”

According to researchers at Belgium security firm Nviso, who first reported the bug on September 30, the vulnerability had been exploited in the wild unnoticed since early as October 2024.

The Belgium security team said the vulnerability had already been used by Chinese-state actors UNC5174, but that it wasn’t clear whether it had been developed as a zero-day. 

The vulnerability impacts the following products: 

  • VMware Aria Operations
  • VMware Tools
  • VMware Cloud Foundation
  • VMware Telco Cloud Platform
  • VMware Telco Cloud Infrastructure

Broadcom pushed a patch for the bug back in late September, after it was flagged by the Nviso team. The software supplier also circulated an updated version of the package open-vm-tools, widely used in Linux distributions, which was impacted by the same vulnerability. 

The link has been copied!