The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has directed federal agencies to patch a high-severity vulnerability, CVE-2025-41244.
This flaw affects Broadcom’s VMware Aria Operations and VMware Tools. It has been actively exploited by the Chinese state-sponsored threat actor UNC5174 since at least October 2024.
CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, prompting immediate action.
Federal Civilian Executive Branch (FCEB) agencies are mandated under Binding Operational Directive (BOD) 22-01 to apply necessary mitigations by November 20.
The vulnerability allows a local attacker with non-administrative privileges on a virtual machine (VM) running VMware Tools and managed by Aria Operations with SDMP enabled to escalate privileges to root on the same VM.
This poses a significant risk to affected systems, potentially leading to full system compromise.
CVE-2025-41244 is categorized as a “Privilege Defined with Unsafe Actions” (CWE-267).
Broadcom patched this vulnerability approximately one month before CISA’s directive.
Maxime Thiebaut of NVISO reported the flaw’s exploitation and released proof-of-concept code, illustrating how attackers could achieve root-level code execution.
Google Mandiant security analysts have identified UNC5174 as a contractor for China’s Ministry of State Security (MSS).
This group has a history of selling access to networks of U.S. defense contractors, UK government entities, and Asian institutions.
Their past operations include exploiting an F5 BIG-IP remote code execution vulnerability (CVE-2023-46747) in late 2023.
In February 2024, UNC5174 also exploited a ConnectWise ScreenConnect flaw (CVE-2024-1709).
This exploit led to the compromise of hundreds of U.S. and Canadian institutions. More recently, in May, the group was linked to attacks abusing a NetWeaver unauthenticated file upload flaw (CVE-2025-31324).
This flaw allowed remote code execution on unpatched NetWeaver Visual Composer servers.
While BOD 22-01 specifically applies to federal agencies, CISA urges all organizations to prioritize patching this vulnerability.
This is due to its classification as a frequent attack vector for malicious cyber actors.
Broadcom has addressed other actively exploited VMware zero-day vulnerabilities this year, including CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226.
They also fixed two high-severity VMware NSX vulnerabilities (CVE-2025-41251 and CVE-2025-41252) reported by the U.S. National Security Agency (NSA).
Organizations are advised to apply vendor mitigations and follow applicable BOD 22-01 guidance for cloud services.
If mitigations are unavailable, discontinuing product use is recommended.