“`html
The Cybersecurity and Infrastructure Security Agency (CISA) has appended CVE-2025-41244 to its catalog of Known Exploited Vulnerabilities. This local privilege escalation defect involves Broadcom’s VMware Aria Operations and VMware Tools, with signs of active exploitation present in the wild.
Security analysts and authorities are advocating for immediate updates to avert possible ransomware and other assaults that could jeopardize virtual infrastructures.
The weakness, assessed as Important with a CVSSv3 base score of 7.8, originates from a privilege defined with an unsafe action vulnerability. It enables a malicious local user with limited access to a virtual machine (VM) to elevate their privileges to root on that VM.
This presents a significant risk in environments where VMware Tools are installed and overseen by Aria Operations with Software-Defined Management Platform (SDMP) activated.
Broadcom has acknowledged that suspected exploitation has already taken place, increasing worries for organizations depending on VMware for both cloud and on-premise virtualization.
At its essence, CVE-2025-41244 exploits faulty privilege-management issues in VMware Tools and Aria Operations. A low-privileged individual on a compromised VM can utilize this vulnerability to obtain complete administrative control, potentially moving on to broader network access or data theft.
The assault necessitates local access, implying initial footholds, such as via phishing or unpatched endpoints, could act as entry points.
Broadcom’s examination links the issue to CWE-267 (Privilege Defined With Unsafe Actions), underscoring how seemingly innocuous configurations can evolve into attack surfaces. No alternatives are available, making prompt updates critical.
Components that are impacted include VMware Tools versions earlier than 12.5.4 and certain releases of Aria Operations. For Linux users, open-vm-tools updates will be distributed via vendors, while Windows 32-bit systems are included in Tools 12.4.9 as part of the 12.5.4 package.
| CVE ID | Affected Products | CVSSv3 Score | Impact | Fixed Versions | Exploitation Status |
|---|---|---|---|---|---|
| CVE-2025-41244 | VMware Aria Operations, VMware Tools | 7.8 (Important) | Local privilege escalation to root on VM | Tools 12.5.4; Aria Operations patches per matrix; open-vm-tools via vendors | Suspected in-the-wild exploitation; added to CISA KEV catalog |
Mitigations
CISA recommends applying vendor updates without delay and adhering to Binding Operational Directive (BOD) 22-01 for federal cloud services. Organizations unable to apply patches should contemplate ceasing the use of vulnerable products.
This occurrence highlights the ongoing targeting of virtualization platforms, which underpins a large portion of modern hybrid IT environments.
Broadcom acknowledged Maxime Thiebaut of NVISO for uncovering and reporting the flaw, illustrating the importance of cooperative security research.
As ransomware campaigns increasingly leverage such vulnerabilities, businesses must prioritize vulnerability management. With exploitation confirmed, unpatched systems continue to pose significant risks, and delays in action could lead to severe operational interruptions.
“`