VMware Aria Operations and VMware Tools CVE-2025-41244 exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
A CVE-2025-41244 exploitation wave has affected VMware Aria Operations and VMware Tools since mid-October 2024, creating privilege-escalation risk on vulnerable VMs. Attackers can stage a malicious binary in broadly matched paths and push it into VMware service discovery, which can end in root-level code execution. A proof-of-concept exploit now shows how the flaw can be abused in both credential-based and credential-less configurations. The activity matters because it turns a local foothold into full administrative control on exposed systems.
Cases
Related Happenings
Windows cldflt.sys privilege escalation (CVE-2020-17103)
Vulnerability
First: 18.05.2026 01:30
Last: 18.05.2026 01:30
Sources 1
About this happening:
A public **MiniPlasma** proof-of-concept has renewed concern around the **Windows cldflt.sys Cloud Filter driver** because it can elevate a **standard user** to **SYSTEM** on **fu...
Windows cldflt.sys privilege escalation (CVE-2020-17103)
VulnerabilityAbout this happening: A public **MiniPlasma** proof-of-concept has renewed concern around the **Windows cldflt.sys Cloud Filter driver** because it can elevate a **standard user** to **SYSTEM** on **fu...
Windows Netlogon stack-based buffer overflow security flaw (CVE-2026-41089)
Vulnerability
First: 13.05.2026 11:15
Last: 13.05.2026 11:15
Sources 1
About this happening:
Microsoft’s **May Patch Tuesday** fixed **CVE-2026-41089**, a **critical** stack-based buffer overflow in **Windows Netlogon** that could let attackers gain **system privileges**...
Windows Netlogon stack-based buffer overflow security flaw (CVE-2026-41089)
VulnerabilityAbout this happening: Microsoft’s **May Patch Tuesday** fixed **CVE-2026-41089**, a **critical** stack-based buffer overflow in **Windows Netlogon** that could let attackers gain **system privileges**...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
Vulnerability
First: 20.04.2026 16:01
Last: 20.04.2026 16:01
Sources 1
About this happening:
The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
VulnerabilityAbout this happening: The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
Windows Task Host link-following privilege escalation (CVE-2025-60710)
Vulnerability
First: 15.04.2026 17:51
Last: 15.04.2026 17:51
Sources 1
About this happening:
CISA added **CVE-2025-60710** to its actively exploited catalog after finding a **Windows Task Host** link-following flaw that can let **local attackers** escalate to **SYSTEM** o...
Windows Task Host link-following privilege escalation (CVE-2025-60710)
VulnerabilityAbout this happening: CISA added **CVE-2025-60710** to its actively exploited catalog after finding a **Windows Task Host** link-following flaw that can let **local attackers** escalate to **SYSTEM** o...
AOS-CX web management authentication bypass (CVE-2026-23813)
Vulnerability
First: 10.03.2026 19:30
Last: 10.03.2026 19:30
Sources 1
About this happening:
**HPE** has patched **CVE-2026-23813**, a critical **authentication bypass** in the **Aruba Networking AOS-CX web-based management interface** that could let **unauthenticated rem...
AOS-CX web management authentication bypass (CVE-2026-23813)
VulnerabilityAbout this happening: **HPE** has patched **CVE-2026-23813**, a critical **authentication bypass** in the **Aruba Networking AOS-CX web-based management interface** that could let **unauthenticated rem...
Timeline
-
31.10.2025 09:09 1 articles · 6mo ago
CISA adds CVE-2025-41244 to KEV catalog after VMware exploitation
Legal Policy Action UpdateCISA added CVE-2025-41244 affecting Broadcom VMware Tools and VMware Aria Operations to the KEV catalog after reports of active exploitation in the wild. Broadcom had already addressed the flaw, which NVISO Labs says was abused as a zero-day since mid-October 2024 to escalate a local actor to root on vulnerable VMs. Federal Civilian Executive Branch agencies must apply mitigations by November 20, 2025.
Show sources
- CISA Flags VMware Zero-Day Exploited by China-Linked Hackers in Active Attacks — thehackernews.com — 31.10.2025 09:09
-
01.10.2025 12:25 1 articles · 7mo ago
NVISO attributes CVE-2025-41244 abuse to UNC5174
Technical Analysis UpdateNVISO Labs says UNC5174 has exploited CVE-2025-41244 in VMware Aria Operations and VMware Tools since October 2024, using malicious binaries staged in /tmp/httpd to trigger root code execution on VMs with VMware Tools installed and Aria Operations SDMP enabled. NVISO also says the open source open-vm-tools variant is affected because its discovery regex can match non-system binaries in writable paths, and organizations should watch for uncommon child processes.
Show sources
- Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability — www.securityweek.com — 01.10.2025 12:25
-
30.09.2025 17:54 2 articles · 7mo ago
VMware Aria Operations and VMware Tools CVE-2025-41244 exploitation wave
Initial DisclosureIn **mid-October 2024**, attackers began abusing **CVE-2025-41244** on **VMware Aria Operations** and **VMware Tools** to move from local access toward **privilege escalation**. The first phase centered on staging a malicious binary that VMware service discovery could pick up.
Show sources
- Chinese hackers exploiting VMware zero-day since October 2024 — www.bleepingcomputer.com — 30.09.2025 17:54
- Chinese hackers exploiting VMware zero-day since October 2024 — www.bleepingcomputer.com — 30.09.2025 17:54