(TLP:CLEAR) Vulnerability Notification – Observed Active Exploitation in Cisco and VMware Products, High-Severity Vulnerabilities
Created: Tuesday, September 30, 2025 - 15:05
Categories: Cybersecurity, Security Preparedness
Summary: ACTION MAY BE REQUIRED for utilities using VMware Aria Operations, VMware Tools, Cisco Firewalls and other Cisco devices.
There have been reports of active exploitation of high-severity vulnerabilities across two widely-used products (Cisco and VMware). While WaterISAC is not aware of any direct impacts to the water and wastewater systems sector at this time, we are sending this vulnerability notification for member awareness. Utilities that outsource technology support may want to consult with their service providers for assistance with remediation actions.
Cisco ASA and Other Cisco Devices
On Thursday last week, WaterISAC updated members about actively exploited Cisco devices, primarily affecting Cisco Adaptive Security Appliances (ASA). CISA sent an Emergency Directive (ED) about ongoing exploitation of these devices, and Cisco has since released an Event Response notice regarding the new activity which it believes is related to the same threat actor as the ArcaneDoor attack campaign in early 2024. These flaws can be exploited by remote unauthenticated attackers with low privileges to execute arbitrary code or gain unauthorized access to restricted endpoints.
WaterISAC encourages members to be extra mindful of the vulnerability management of their Cisco devices at this time, and urges utilities to follow the directive sent by CISA and to address the following vulnerabilities:
VMware Aria Operations, VMware Tools, and other VMware Products
Yesterday, Broadcom released patches for several high-severity vulnerabilities impacting many VMware products, namely, VMware Aria operations and VMware Tools. CVE-2025-41244, is a zero-day vulnerability that researchers believe has been exploited since October 2024. Researchers at NVISO assessed with confidence that UNC5174, a Chinese state-sponsored threat actor, triggered the local privilege escalation, which could be exploited to achieve code execution.
WaterISAC encourages members to address the VMware vulnerabilities which could result in unprivileged users achieving code execution. The below notices from Broadcom include the impacted VMware products and resolutions:
- VMSA-2025-0015: VMware Aria Operations and VMware Tools updates address multiple vulnerabilities (CVE-2025-41244,CVE-2025-41245, CVE-2025-41246)
- VMSA-2025-0016: VMware vCenter and NSX updates address multiple vulnerabilities (CVE-2025-41250, CVE-2025-41251, CVE-2025-41252)
Incident Reporting
WaterISAC encourages any members who have experienced malicious or suspicious activity to email an*****@*******ac.org, call 866-H2O-ISAC, or use the online confidential incident reporting form.