Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

VMware Tools and VMware Aria Operations local privilege escalation actively exploited (CVE-2025-41244)

Vulnerability
First reported
Last updated
Happening score
H score 49
3 unique sources, 4 articles

Summary

Hide ▲

CVE-2025-41244 is a local privilege escalation flaw in VMware Tools and VMware Aria Operations that can let an unprivileged local user reach root on affected virtual machines. Broadcom and NVISO said the bug was exploited in the wild as a zero-day beginning in mid-October 2024, with abuse linked to UNC5174. The issue affects multiple VMware product lines, including VMware Cloud Foundation, VMware vSphere Foundation, and Telco Cloud deployments, and Broadcom said remediation requires patching with product-specific updates.

Cases

UNC5174 VMware privilege-escalation activity (3)

Related Happenings

Cloud Software Group NetScaler urgent remediation advisory

Advisory/Mitigation
First: 25.03.2026 17:52 Last: 25.03.2026 17:52 Sources 1

About this happening: **Cloud Software Group** issued urgent remediation guidance for **NetScaler ADC** and **NetScaler Gateway**, telling affected customers to install updated versions as soon as poss...

Open Happening

CISA KEV remediation deadline for CVE-2026-22719

Public Sector Action
First: 04.03.2026 06:35 Last: 04.03.2026 06:35 Sources 1

About this happening: The **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** added **CVE-2026-22719** to the **Known Exploited Vulnerabilities (KEV) catalog**, requiring **Federal Civilia...

Open Happening

VMware ESXi arbitrary-write sandbox escape (CVE-2025-22225)

Vulnerability
First: 04.02.2026 19:38 Last: 04.02.2026 19:38 Sources 1

About this happening: **CVE-2025-22225** is now confirmed in **ransomware campaigns**, making the **VMware ESXi** sandbox-escape flaw an active risk for exposed virtualization hosts. **Broadcom** patch...

Open Happening

CISA KEV remediation order for CVE-2025-22225

Public Sector Action
First: 04.02.2026 19:38 Last: 04.02.2026 19:38 Sources 1

About this happening: **CISA** added **CVE-2025-22225** to the **Known Exploited Vulnerabilities (KEV)** catalog and ordered **federal agencies** to secure affected systems by **March 25, 2025**. The d...

Open Happening

Broadcom VMware vCenter Server and Cloud Foundation patch advisory (CVE-2024-37079)

Advisory/Mitigation
First: 26.01.2026 13:49 Last: 26.01.2026 13:49 Sources 1

About this happening: **Broadcom** told customers to apply security patches for **CVE-2024-37079** in **vCenter Server** and **Cloud Foundation**, after the flaw was tied to **active exploitation** and...

Open Happening

Timeline

  1. 30.09.2025 13:57 5 articles · 7mo ago

    Broadcom and NVISO disclose active UNC5174 exploitation of CVE-2025-41244

    Initial Disclosure

    On September 30, 2025, Broadcom and NVISO publicly described CVE-2025-41244 as a zero-day exploited in the wild since mid-October 2024 by UNC5174, said the flaw affects VMware Cloud Foundation, VMware vSphere Foundation, VMware Aria Operations, VMware Tools, VMware Telco Cloud Platform, and VMware Telco Cloud Infrastructure, and noted that VMware Tools 12.4.9 / 12.5.4 and Linux vendor open-vm-tools updates remediate the issue.

    Show sources
    Open in new tab
  2. 19.05.2025 03:00 1 articles · 12mo ago

    NVISO discovers CVE-2025-41244 in VMware Tools and VMware Aria Operations

    Technical Analysis Update

    During an incident response engagement on May 19, 2025, NVISO researcher Maxime Thiebaut discovered and reported CVE-2025-41244 in VMware Tools and VMware Aria Operations, identifying a local privilege escalation path in get_version() where broad regex matching can accept non-system binaries such as /tmp/httpd and let an unprivileged local user reach root on the same VM.

    Show sources
    Open in new tab