- CISA added CVE-2025-41244 to KEV, requiring patching by November 20
- Bug permits native privilege escalation through VMware Tools with SDMP enabled
- The Chinese group UNC5174 took benefit of it for espionage directed at Western and Asian establishments.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a brand new Broadcom bug to its catalog of recognized exploited vulnerabilities (KEV), warning Federal Civil Executive Branch (FCEB) businesses about abuses within the wild.
The bug in query is a neighborhood privilege escalation vulnerability that impacts VMware Aria Operations and VMWare instruments. According to the NVD, a malicious native actor with non-administrative privileges that has entry to a digital machine with VMWare Tools put in and managed by Aria Operations with SDMP enabled can exploit it to escalate privileges to root on the identical digital machine.
The bug is tracked as CVE-2025-41244 and was assigned a severity rating of seven.8/10 (High). Those on the lookout for an answer for 32-bit Windows ought to look into VMWare Tools 12.4.9, a part of VMWare Tools 12.5.4. For Linux, there’s a model of open-vm-tools that will probably be distributed by Linux distributors.
Chinese attackers
By including it to KEV, CISA gave FCEB businesses three weeks to use the patch (which was launched a few month in the past) or cease utilizing the susceptible merchandise altogether. The deadline is November 20.
At the identical time, safety researchers say the bug has been exploited by Chinese state-sponsored criminals for a few yr. In truth, NVISO claims {that a} group tracked as UNC5174 has been utilizing it since mid-October 2024, and even printed proof-of-concept (POC) code to show the way it may very well be leveraged. beepcomputer data.
According to Google Mandiant, UNC5174 was contracted by China’s Ministry of State Security (MSS) to realize entry to US protection contractors, UK authorities businesses, and totally different Asian establishments.
In late 2024, Chinese state-sponsored menace actors abused a number of zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) units to entry French authorities businesses in addition to quite a few business entities corresponding to telecommunications firms, monetary and transportation organizations. The assaults have been attributed to a gaggle tracked as Houken that researchers claimed has many similarities to UNC5174.
Through beepcomputer
