Ddos 
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new flawsβCVE-2025-24893 in XWiki Platform and CVE-2025-41244 in Broadcom VMware Aria Operations and VMware Toolsβto its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation in the wild.
CVE-2025-24893 β XWiki Platform Eval Injection Vulnerability (CVSS 9.8)
The first flaw, tracked as CVE-2025-24893, is a critical remote code execution (RCE) vulnerability in XWiki Platform, reported by Trend Micro researcher John Kwak. The issue resides in the platformβs SolrSearch macro, which leverages the embedded Solr engine for full-text searches. Improper sanitization of Groovy-based search parameters allows unauthenticated attackers to inject and execute arbitrary code remotely.
According to the Zero Day Initiative (ZDI), the flaw βresults from the lack of proper validation of a user-supplied string before using it to execute a system call,β enabling attackers to run code with the privileges of the web serverβs service account.
Successful exploitation can expose sensitive information, disrupt operations, or enable full system compromise.
Patches were released in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1 in June 2024. However, researchers at VulnCheck recently confirmed that in-the-wild exploitation has resumed, with attackers using the bug to deploy cryptocurrency miners.
βWe observed multiple exploit attempts against our XWiki canaries coming from an attacker geolocated in Vietnam,β VulnCheck reported, describing a two-stage attack in which an initial downloader is staged and later executed to mine crypto assets.
CVE-2025-41244 β VMware Aria Operations and VMware Tools Privilege Escalation (CVSS 7.8)
The second vulnerability, CVE-2025-41244, affects Broadcom VMware Aria Operations and VMware Tools. It allows local attackers with non-administrative privileges on a virtual machine (VM) managed by Aria Operationsβwith the Service Discovery Management Pack (SDMP) enabledβto escalate privileges to root.
Broadcom has confirmed that the vulnerability is under active exploitation, with evidence linking attacks to the Chinese state-sponsored group UNC5174. The issue was initially reported by Maxime Thiebaut of NVISO, who also published proof-of-concept (PoC) code demonstrating how it could be used to gain root-level access on vulnerable systems running Aria Operations (credential-based mode) and VMware Tools (credential-less mode).
Federal Agencies Ordered to Patch by November 20, 2025
In accordance with CISAβs Binding Operational Directive 22-01, all Federal Civilian Executive Branch (FCEB) agencies must remediate both vulnerabilities by November 20, 2025, to protect their systems from ongoing exploitation campaigns.
Related Posts:
- Zero-Day PoC Published: Privilege Escalation Flaw in VMware Tools Used by Chinese APT
- Broadcom Patches VMware Flaws: Privilege Escalation and Info Disclosure Vulnerabilities Affect VMware Tools and Aria Operations
- VMware Aria Operations Flaws Expose Credentials, Enable Privilege Escalation
- VMware fixes critical security bugs (CVE-2023-34039 & CVE-2023-20890) in Aria Operations for Networks
- VMware Aria Operations Hit By Multiple Vulnerabilities
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
