The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-41244 to its Known Exploited Vulnerabilities catalog. This local privilege escalation flaw affects Broadcom’s VMware Aria Operations and VMware Tools, with evidence of active exploitation in the wild.
Security researchers and officials urge immediate patching to prevent potential ransomware and other attacks that could compromise virtualized infrastructures.
The vulnerability, rated as Important with a CVSSv3 base score of 7.8, stems from a privilege defined with an unsafe action issue. It allows a malicious local actor with non-administrative access to a virtual machine (VM) to escalate their privileges to root on the same VM.
This is particularly risky in setups where VMware Tools are installed and managed by Aria Operations with Software-Defined Management Platform (SDMP) enabled.
Broadcom confirmed that suspected exploitation has already occurred, heightening concerns for organizations relying on VMware for cloud and on-premises virtualization.
VMware Tools and Aria Operations Vulnerability
At its core, CVE-2025-41244 exploits improper privilege-handling flaws in VMware Tools and Aria Operations. A low-privileged user on a compromised VM can leverage this flaw to gain full administrative control, potentially pivoting to broader network access or data exfiltration.
The attack requires local access, meaning initial footholds, such as through phishing or unpatched endpoints, could serve as entry points.
Broadcom’s analysis ties the issue to CWE-267 (Privilege Defined With Unsafe Actions), emphasizing how seemingly benign configurations can become attack surfaces. No workarounds exist, making timely updates essential.
Affected components include VMware Tools versions prior to 12.5.4 and specific Aria Operations releases. For Linux users, open-vm-tools updates will roll out via vendors, while Windows 32-bit systems are covered in Tools 12.4.9 as part of the 12.5.4 bundle.
| CVE ID | Affected Products | CVSSv3 Score | Impact | Fixed Versions | Exploitation Status |
|---|---|---|---|---|---|
| CVE-2025-41244 | VMware Aria Operations, VMware Tools | 7.8 (Important) | Local privilege escalation to root on VM | Tools 12.5.4; Aria Operations patches per matrix; open-vm-tools via vendors | Suspected in-the-wild exploitation; added to CISA KEV catalog |
Mitigations
CISA advises applying vendor patches immediately and following Binding Operational Directive (BOD) 22-01 for federal cloud services. Organizations unable to patch should consider discontinuing use of vulnerable products.
This incident underscores the persistent targeting of virtualization platforms, which power much of today’s hybrid IT landscapes.
Broadcom credited Maxime Thiebaut of NVISO for discovering and reporting the flaw, highlighting the role of collaborative security research.
As ransomware campaigns increasingly exploit such vulnerabilities, enterprises must prioritize vulnerability management. With exploitation confirmed, unpatched systems remain prime targets delaying action could lead to severe operational disruptions.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
