CISA Warns of Actively Exploited VMware Zero-Day (CVE-2025-41244) Used by China-Linked Hackers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a new VMware zero-day vulnerability, tracked as CVE-2025-41244. The flaw has been added to CISA’s Known Exploited Vulnerabilities (KEV) list, which means it is being actively used in real-world attacks. Security experts say this vulnerability needs immediate attention from all organizations using VMware products.

The affected products are VMware Tools and VMware Aria Operations. The flaw allows a normal user on a virtual machine to gain full “root” control under certain configurations. In simple words, it lets attackers take complete control of a system if they already have some access, making it very dangerous for corporate networks.

Security researchers discovered that the vulnerability is being exploited by a China-linked hacking group known as UNC5174. Reports indicate that this group started taking advantage of the flaw as early as October 2024. This shows that the attacks have been happening quietly for months before the issue became public, which raises the level of risk for many companies.

The bug is classified as a local privilege escalation (LPE) vulnerability. It has a severity score of 7.8, which is considered high. Attackers can use it to move from limited user access to full administrator rights, allowing them to perform deeper attacks, steal data, or install additional malware on affected systems.

Investigators have also shared technical details about how the bug was exploited. Attackers were found placing malicious files in temporary directories such as /tmp/httpd to trigger the flaw. Security experts recommend checking these locations for any unusual files as part of system monitoring and threat detection efforts.

In response to the discovery, Broadcom, the company that owns VMware, released security updates to fix the vulnerability. Updated versions of VMware Tools and Aria Operations have been made available for download. Users are strongly advised to apply these patches immediately to protect their systems from ongoing attacks.

CISA has directed all government agencies and organizations to patch the vulnerability without delay. The agency’s alert also encourages private companies to review their virtual machines and ensure no unauthorized privilege escalations have occurred. Early patching and regular monitoring remain the best defense against such exploits.

In summary, this VMware zero-day is a serious security issue that attackers are already exploiting. Organizations should patch immediately, scan for signs of compromise, and tighten permissions on temporary directories. Taking these steps will help stop attackers from gaining control and prevent further damage to systems and networks.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news