VMware Aria Operations and VMware Tools CVE-2025-41244 exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
A CVE-2025-41244 exploitation wave has affected VMware Aria Operations and VMware Tools since mid-October 2024, creating privilege-escalation risk on vulnerable VMs. Attackers can stage a malicious binary in broadly matched paths and push it into VMware service discovery, which can end in root-level code execution. A proof-of-concept exploit now shows how the flaw can be abused in both credential-based and credential-less configurations. The activity matters because it turns a local foothold into full administrative control on exposed systems.
Cases
Related Happenings
Windows cldflt.sys privilege escalation (CVE-2020-17103)
Vulnerability
H score28
First: 18.05.2026 01:30
Last: 18.05.2026 01:30
Sources 1
About this happening:
A public **MiniPlasma** proof-of-concept has renewed concern around the **Windows cldflt.sys Cloud Filter driver** because it can elevate a **standard user** to **SYSTEM** on **fu...
Windows cldflt.sys privilege escalation (CVE-2020-17103)
VulnerabilityAbout this happening: A public **MiniPlasma** proof-of-concept has renewed concern around the **Windows cldflt.sys Cloud Filter driver** because it can elevate a **standard user** to **SYSTEM** on **fu...
Windows Netlogon stack-based buffer overflow security flaw (CVE-2026-41089)
Vulnerability
H score37
First: 13.05.2026 11:15
Last: 13.05.2026 11:15
Sources 1
About this happening:
Microsoft’s **May Patch Tuesday** fixed **CVE-2026-41089**, a **critical** stack-based buffer overflow in **Windows Netlogon** that could let attackers gain **system privileges**...
Windows Netlogon stack-based buffer overflow security flaw (CVE-2026-41089)
VulnerabilityAbout this happening: Microsoft’s **May Patch Tuesday** fixed **CVE-2026-41089**, a **critical** stack-based buffer overflow in **Windows Netlogon** that could let attackers gain **system privileges**...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
Vulnerability
H score1
First: 20.04.2026 16:01
Last: 20.04.2026 16:01
Sources 1
About this happening:
The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
VulnerabilityAbout this happening: The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
Windows zero-day exploitation wave
Exploitation Wave
H score38
First: 17.04.2026 09:14
Last: 17.04.2026 09:14
Sources 1
About this happening:
**BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Windows zero-day exploitation wave
Exploitation WaveAbout this happening: **BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Latest development: 23.04.2026 14:05
CISA added BlueHammer, tracked as CVE-2026-33825, to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch Microsoft Defender on Windows systems within two weeks, until May 7. The federal directive targets ongoing zero-day abuse of the flaw on U.S. government systems.
Windows Task Host link-following privilege escalation (CVE-2025-60710)
Vulnerability
H score29
First: 15.04.2026 17:51
Last: 15.04.2026 17:51
Sources 1
About this happening:
CISA added **CVE-2025-60710** to its actively exploited catalog after finding a **Windows Task Host** link-following flaw that can let **local attackers** escalate to **SYSTEM** o...
Windows Task Host link-following privilege escalation (CVE-2025-60710)
VulnerabilityAbout this happening: CISA added **CVE-2025-60710** to its actively exploited catalog after finding a **Windows Task Host** link-following flaw that can let **local attackers** escalate to **SYSTEM** o...
Timeline
-
31.10.2025 09:09 1 articles · 8mo ago
CISA adds CVE-2025-41244 to KEV catalog after VMware exploitation
Legal Policy Action UpdateCISA added CVE-2025-41244 affecting Broadcom VMware Tools and VMware Aria Operations to the KEV catalog after reports of active exploitation in the wild. Broadcom had already addressed the flaw, which NVISO Labs says was abused as a zero-day since mid-October 2024 to escalate a local actor to root on vulnerable VMs. Federal Civilian Executive Branch agencies must apply mitigations by November 20, 2025.
Show sources
- CISA Flags VMware Zero-Day Exploited by China-Linked Hackers in Active Attacks — thehackernews.com — 31.10.2025 09:09
-
01.10.2025 12:25 1 articles · 9mo ago
NVISO attributes CVE-2025-41244 abuse to UNC5174
Technical Analysis UpdateNVISO Labs says UNC5174 has exploited CVE-2025-41244 in VMware Aria Operations and VMware Tools since October 2024, using malicious binaries staged in /tmp/httpd to trigger root code execution on VMs with VMware Tools installed and Aria Operations SDMP enabled. NVISO also says the open source open-vm-tools variant is affected because its discovery regex can match non-system binaries in writable paths, and organizations should watch for uncommon child processes.
Show sources
- Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability — www.securityweek.com — 01.10.2025 12:25
-
30.09.2025 17:54 2 articles · 9mo ago
VMware Aria Operations and VMware Tools CVE-2025-41244 exploitation wave
Initial DisclosureIn **mid-October 2024**, attackers began abusing **CVE-2025-41244** on **VMware Aria Operations** and **VMware Tools** to move from local access toward **privilege escalation**. The first phase centered on staging a malicious binary that VMware service discovery could pick up.
Show sources
- Chinese hackers exploiting VMware zero-day since October 2024 — www.bleepingcomputer.com — 30.09.2025 17:54
- Chinese hackers exploiting VMware zero-day since October 2024 — www.bleepingcomputer.com — 30.09.2025 17:54