Chinese State-Sponsored Attackers Abuse VMWare Flaw, CISA Urges Remediation

Following observed exploitation in the wild, CISA is urging organizations to patch a high-severity privilege escalation flaw in VMWare products.

Published on Nov 3, 2025

Written by Caitlin Harris

Share

Chinese State-Sponsored Attackers Abuse VMWare Flaw, CISA Urges Remediation

Broadcom has warned that threat actors are actively exploiting a high-severity vulnerability in its VMware Aria Operations and VMware Tools software.

Tracked as CVE-2025-41244, the vulnerability is a local privilege escalation flaw. It enables local adversaries with non-administrative access to a Virtual Machine (VM) that has VMware Tools installed and is managed by Aria Operations with SDMP to escalate privileges to root on the same VM.

The vulnerability was reported to Broadcom in May this year by Maxime Thiebaut, Incident Response & Threat Research Expert at NVISO Security.

According to Thiebaut, a Chinese state-sponsored threat actor tracked as UNC5174 has been exploiting the vulnerability in attacks since mid-October 2024. However, it’s unclear whether the threat actor exploited the flaw wilfully, or whether the exploitation occurred as a byproduct of another attack.

“The vulnerabilities’ trivialness and adversary practice of mimicking system binaries (T1036.005) do not allow us to determine with confidence whether UNC5174 willfully achieved exploitation,” Thiebaut explains.

This could suggest that several malware strains have accidentally been benefitting from unintended privilege escalations for years, he adds.

Urgent Remediation Required

Following Thiebaut’s report, Broadcom has released a patch for affected versions of VMware Aria Operations and VMware Tools and, as the flaw has been exploited in the wild, CISA has added it to its KEV Catalog.

As mandated by BOD 22-01, all Federal Civilian Executive Branch (FCEB) agencies utilizing affected versions of VMware Aria Operations and VMware Tools must apply this patch by November 20^th.

However, while the mandate only applies to FCEB agencies, CISA is urging all organizations using the vulnerable software to take remediation action as soon as possible.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA says. “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

Explore More

WordPress Security Plugin Vulnerability Exposes Sensitive Data

A researcher has identified a vulnerability in a security plugin installed on over 100,000 WordPress sites.

Caitlin Harris Last updated on Apr 22, 2026

Read Now

Written By

Caitlin Harris Deputy Head Of Content

Caitlin Harris is the Deputy Head of Content at Expert Insights. As an experienced content writer and editor, Caitlin helps cybersecurity leaders to cut through the noise in the cybersecurity space with expert analysis and insightful recommendations.

Prior to Expert Insights, Caitlin worked at QA Ltd, where she produced award-winning technical training materials, and she has also produced journalistic content over the course of her career.

Caitlin has 8 years of experience in the cybersecurity and technology space, helping technical teams, CISOs, and security professionals find clarity on complex, mission critical topics like security awareness training, backup and recovery, and endpoint protection.

Caitlin also hosts the Expert Insights Podcast and co-writes the weekly newsletter, Decrypted.