CISA orders feds to patch VMware Tools flaw exploited by Chinese hackers

On Thursday, CISA warned U.S. government agencies to secure their systems against attacks exploiting a high-severity vulnerability in Broadcom's VMware Aria Operations and VMware Tools software. Tracked as CVE-2025-41244 and patched one month ago, this vulnerability allows local attackers with non-administrative privileges to a virtual machine (VM) with VMware Tools and managed by Aria Operations with SDMP enabled to escalate privileges to root on the same VM. CISA added the flaw to its Known Exploited Vulnerabilities catalog, which lists security bugs the cybersecurity agency has flagged as exploited in the wild. Federal Civilian Executive Branch (FCEB) agencies now have three weeks, until November 20, to patch their systems against ongoing attacks, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021. FCEB agencies are non-military agencies within the U.S. executive branch, including the Department of Homeland Security, the Department of Energy, the Department of the Treasury, and the Department of Health and Human Services. While BOD 22-01 only applies to federal agencies, CISA urged all organizations to prioritize patching this vulnerability as soon as possible. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA cautioned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." Exploited in attacks since last October Broadcom has flagged CVE-2025-41244 as being exploited in the wild today, one month after Maxime Thiebaut of European cybersecurity company NVISO reported that the UNC5174 Chinese state-sponsored threat actor had been abusing it in attacks since mid-October 2024. At the time, Thiebaut also released proof-of-concept code demonstrating how CVE-2025-41244 can be exploited to escalate privileges on systems running vulnerable VMware Aria Operations (in credential-based mode) and VMware Tools (in credential-less mode), ultimately allowing attackers to gain root-level code execution on the VM. Google Mandiant security analysts, who have tagged UNC5174 as a contractor for China's Ministry of State Security (MSS), observed the threat actor selling access to networks of U.S. defense contractors, UK government entities, and Asian institutions in late 2023, following attacks exploiting a F5 BIG-IP remote code execution vulnerability (CVE-2023-46747). In February 2024, UNC5174 also exploited a ConnectWise ScreenConnect flaw (CVE-2024-1709) to breach hundreds of U.S. and Canadian institutions, and was linked in May to attacks abusing a NetWeaver unauthenticated file upload flaw (CVE-2025-31324) that enables attackers to gain remote code execution on unpatched NetWeaver Visual Composer servers. Since the start of the year, Broadcom has fixed three other actively exploited VMware zero-day bugs (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) reported by the Microsoft Threat Intelligence Center and released security patches to address two high-severity VMware NSX vulnerabilities (CVE-2025-41251 and CVE-2025-41252) reported by the U.S. National Security Agency (NSA).