SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

CISA Adds Exploited XWiki, VMware Flaws to KEV Catalog

Broadcom has updated its advisory on CVE-2025-41244 to mention the vulnerability’s in-the-wild exploitation.
CISA KEV

The US cybersecurity agency CISA on Thursday expanded its Known Exploited Vulnerabilities (KEV) catalog with two security defects impacting XWiki and VMware products.

The XWiki flaw, tracked as CVE-2025-24893 (CVSS score of 9.8), is an improper sanitization of search parameters that can be exploited remotely, without authentication, to inject malicious code via specially crafted search requests.

Successful exploitation of the issue allows attackers to execute code with the privileges of the web server, to leak sensitive information, or disrupt survey operations.

Proof-of-concept (PoC) exploits targeting the bug have been available for roughly half a year and exploitation attempts were initially observed in March, albeit they were flagged as reconnaissance efforts.

Earlier this week, however, VulnCheck warned that a threat actor has been exploiting the XWiki vulnerability to drop a cryptocurrency miner.

The VMware defect, tracked as CVE-2025-41244 (CVSS score of 7.8), is a local privilege escalation flaw affecting Aria Operations and VMware Tools that allows authenticated attackers to obtain root privileges on a VM that has VMware Tools installed and is managed by Aria Operations with SDMP enabled.

Advertisement. Scroll to continue reading.

Broadcom rolled out fixes for the bug in late September, but failed to mention its in-the-wild exploitation. NVISO, which was credited for reporting the issue, reported that Chinese threat actors have been targeting the CVE for roughly a year.

On Thursday, Broadcom updated its advisory, noting that it “has information to suggest that suspected exploitation of CVE-2025-41244 has occurred in the wild”.

Simultaneously, CISA added the CVE, along with the XWiki defect, to the KEV list, urging federal agencies to patch them by November 20, as mandated by Binding Operational Directive (BOD) 22-01.

Related: CISA Warns of Exploited DELMIA Factory Software Vulnerabilities

Related: Year-Old WordPress Plugin Flaws Exploited to Hack Websites

Related: Critical Windows Server WSUS Vulnerability Exploited in the Wild

Related: Lanscope Endpoint Manager Zero-Day Exploited in the Wild

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: A Step-by-Step Approach to AI Governance
April 28, 2026

With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

Chris Sistrunk has been promoted to Practice Leader for Mandiant's OT Security Consulting.

Nudge Security has appointed Patrick Dillon as its Chief Revenue Officer.

AutoNation has appointed Brian Fricke as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.