CISA Issues Alert on High-Severity VMware Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a high-severity vulnerability in Broadcom’s VMware products to its Known Exploited Vulnerabilities (KEV) catalog. The action follows confirmed reports of the flaw being actively exploited in the wild. The vulnerability, identified as CVE-2025-41244, impacts both VMware Tools and VMware Aria Operations. This security issue was exploited as a zero-day by threat actors beginning in mid-October, prior to a patch being made available.

The vulnerability carries a CVSS score of 7.8, indicating a high level of severity. According to the CISA alert, the flaw is a privilege escalation issue stemming from unsafe actions. An attacker who has already gained local, non-administrative access to a virtual machine (VM) can leverage this vulnerability to gain full root-level privileges on that same system.

Vulnerability Details and Official Response

In its advisory, CISA provided specific details on the exploit conditions. “A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM,” the agency stated. This highlights that exploitation is contingent on a specific configuration involving VMware Tools and Aria Operations with the SDMP feature enabled.

Broadcom-owned VMware addressed the vulnerability by releasing security patches in September 2025. However, the exploitation by unknown threat actors began before the fix was widely deployed, classifying the initial attacks as zero-day exploits. By adding CVE-2025-41244 to the KEV catalog, CISA has mandated that Federal Civilian Executive Branch agencies apply the necessary patches to mitigate the risk posed by this actively exploited flaw.