Pierluigi Paganini October 30, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds XWiki Platform, and Broadcom VMware Aria Operations and VMware Tools flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added XWiki Platform, and Broadcom VMware Aria Operations and VMware Tools flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the flaws added to the catalog:

• CVE-2025-24893 (CVSS score of 9.8) XWiki Platform Eval Injection Vulnerability
• CVE-2025-41244 (CVSS score of 7.8) Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability

The XWiki Platform, a generic wiki framework that provides runtime services for applications built on top of it, was found to contain a critical security vulnerability, tracked as CVE-2025-24893, in its SolrSearch feature. This flaw allows unauthenticated users, essentially any guest, to execute arbitrary code on the server, posing a severe risk to the confidentiality, integrity, and availability of the entire XWiki installation. The vulnerability works by injecting Groovy code into the RSS feed generation mechanism through a specially crafted request to the SolrSearch endpoint.

This issue was patched in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1, and users are strongly advised to upgrade immediately.

The second flaw added to the catalog, tracked as CVE-2025-41244, is a local privilege escalation vulnerability in VMware Aria Operations and VMware Tools.

A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.

At the end of September, Broadcom addressed six VMware vulnerabilities, including four high-severity issues. One of these flaws is the vulnerability CVE-2025-41244 that allows local users to escalate to root via VMware Tools and Aria Operations.

“VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. Broadcom has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.” reads the advisory. “A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.”

The vulnerability CVE-2025-41244 has been exploited in the wild as a zero-day since mid-October 2024 by the China-linked threat actor UNC5174.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by November 20, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)