VMSA-2025-0016: VMware vCenter and NSX updates address multiple vulnerabilities (CVE-2025-41250, CVE-2025-41251, CVE-2025-41252)
36150
29 September 2025
29 September 2025
OPEN
HIGH
7.5-8.5
CVE-2025-41250, CVE-2025-41251, CVE-2025-41252
| Advisory ID: | VMSA-2025-0016 |
| Advisory Severity: | Important |
| CVSSv3 Range: | 7.5-8.5 |
| Synopsis: | VMware vCenter and NSX updates address multiple vulnerabilities (CVE-2025-41250, CVE-2025-41251, CVE-2025-41252) |
| Issue date: | 2025-09-29 |
| Updated on: | 2025-09-29 (Initial Advisory) |
| CVE(s) |
CVE-2025-41250, CVE-2025-41251, CVE-2025-41252 |
1. Impacted Products
- VMware NSX
- NSX-T
- VMware Cloud Foundation
- VMware vCenter Server
- VMware Telco Cloud Platform
- VMware Telco Cloud Infrastructure
2. Introduction
Multiple vulnerabilities in VMware vCenter and NSX were privately reported to Broadcom. Updates are available to remediate these vulnerabilities in affected Broadcom products.
3a. vCenter SMTP header injection vulnerability (CVE-2025-41250)
Description:
VMware vCenter contains an SMTP header injection vulnerability. Broadcom has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.5.
Known Attack Vectors:
A malicious actor with non-administrative privileges on vCenter who has permission to create scheduled tasks may be able to manipulate the notification emails sent for scheduled tasks.
Resolution:
To remediate CVE-2025-41250 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None
Additional Documentation:
None
Acknowledgments:
Broadcom would like to thank Per von Zweigbergk for reporting this issue to us.
Notes:
None.
Response Matrix:
|
VMware Product |
Component |
Version |
Running On |
CVE |
CVSSv3 |
Severity |
Fixed Version |
Workarounds |
Additional Documentation |
|---|---|---|---|---|---|---|---|---|---|
|
VMware Cloud Foundation, VMware vSphere Foundation |
vCenter | 9.x.x.x | Any | CVE-2025-41250 | 8.5 | Important | 9.0.1.0 | None | None |
| VMware vCenter | N/A | 8.0 | Any | CVE-2025-41250 | 8.5 | Important | 8.0 U3g | None |
None |
| VMware vCenter | N/A | 7.0 | Any | CVE-2025-41250 | 8.5 | Important | 7.0 U3w | None | |
| VMware Cloud Foundation | vCenter | 5.x | Any | CVE-2025-41250 | 8.5 | Important | 5.2.2 | None | Async Patching Guide: KB88287 |
| VMware Cloud Foundation | vCenter | 4.5.x | Any | CVE-2025-41250 | 8.5 | Important | Async patch to 7.0 U3w | None | Async Patching Guide: KB88287 |
| VMware Telco Cloud Platform | vCenter | 5.x, 4.x, 3.x, 2.x | Any | CVE-2025-41250 | 8.5 | Important | KB411508 | None | None |
| VMware Telco Cloud Infrastructure | vCenter | 3.x, 2.x | Any | CVE-2025-41250 | 8.5 | Important | KB411508 | None | None |
3b. NSX weak password recovery mechanism vulnerability (CVE-2025-41251)
Description:
VMware NSX contains a weak password recovery mechanism vulnerability. Broadcom has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.
Known Attack Vectors:
An unauthenticated malicious actor may exploit this vulnerability to enumerate valid usernames, potentially leading to brute-force attacks.
Resolution:
To remediate CVE-2025-41251 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgments:
Broadcom would like to thank the National Security Agency for reporting this issue to us.
Notes:
None.
3c. NSX username enumeration vulnerability (CVE-2025-41252)
Description:
VMware NSX contains a username enumeration vulnerability. Broadcom has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
Known Attack Vectors:
An unauthenticated malicious actor may exploit this vulnerability to enumerate valid usernames, potentially leading to unauthorized access attempts.
Resolution:
To remediate CVE-2025-41252 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgments:
Broadcom would like to thank the National Security Agency for reporting this issue to us.
Notes:
None.
Response Matrix 3b & 3c:
|
VMware Product |
Component |
Version |
Running On |
CVE |
CVSSv3 |
Severity |
Fixed Version |
Workarounds |
Additional Documentation |
|---|---|---|---|---|---|---|---|---|---|
|
VMware Cloud Foundation, VMware vSphere Foundation |
VMware NSX |
9.x.x.x |
Any |
CVE-2025-41251, CVE-2025-41252 |
Important |
None |
None |
||
|
VMware NSX |
N/A |
4.2.x |
Any |
CVE-2025-41251, CVE-2025-41252 |
Important |
4.2.2.2, 4.2.3.1 |
None |
None |
|
|
VMware NSX |
N/A |
4.1.x, 4.0.x |
Any |
CVE-2025-41251, CVE-2025-41252 |
8.1, 7.5 |
Important |
4.1.2.7 |
None |
None |
|
NSX-T |
N/A |
3.x |
Any |
CVE-2025-41251, CVE-2025-41252 |
8.1, 7.5 |
Important |
3.2.4.3 |
None |
None |
|
VMware Cloud Foundation |
VMware NSX |
5.x |
Any |
CVE-2025-41251, CVE-2025-41252 |
8.1, 7.5 |
Important |
None |
Async Patching Guide: KB88287 |
|
|
VMware Cloud Foundation |
VMware NSX |
4.5.x |
Any |
CVE-2025-41251, CVE-2025-41252 |
8.1, 7.5 |
Important |
None |
Async Patching Guide: KB88287 |
|
| VMware Telco Cloud Infrastructure | VMware NSX | 3.x, 2.x | Any |
CVE-2025-41251, CVE-2025-41252 |
8.1, 7.5 | Important | KB411518 | None | None |
| VMware Telco Cloud Platform | VMware NSX | 5.x, 4.x, 3.x | Any |
CVE-2025-41251, CVE-2025-41252 |
8.1, 7.5 | Important | KB411518 | None | None |
4. References
VMware Cloud Foundation 9.0.1.0:
Downloads and Documentation:
https://support.broadcom.com/group/ecx/productfiles?displayGroup=VMware%20Cloud%20Foundation%209&release=9.0.1.0&os=&servicePk=534266&language=EN&groupId=534225&viewGroup=true
VMware vSphere Foundation 9.0.1.0:
Downloads and Documentation:
https://support.broadcom.com/group/ecx/productfiles?displayGroup=VMware%20vSphere%20Foundation%209&release=9.0.1.0&os=&servicePk=534207&language=EN&groupId=534225&viewGroup=true
VMware Cloud Foundation 5.2.2
Downloads and Documentation:
https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-5-2-and-earlier/5-2/vcf-release-notes/vmware-cloud-foundation-522-release-notes.html
VMware vCenter 8.0 U3g
Downloads and Documentation:
https://support.broadcom.com/web/ecx/solutiondetails?patchId=15964
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/vcenter-server-update-and-patch-release-notes/vsphere-vcenter-server-80u3g-release-notes.html
VMware vCenter 7.0 U3w
Downloads and Documentation:
https://support.broadcom.com/web/ecx/solutiondetails?patchId=15986
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/release-notes/vcenter-server-update-and-patch-releases/vsphere-vcenter-server-70u3w-release-notes.html
VMware NSX 4.2.3.1
Downloads and Documentation:
https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20NSX&displayGroup=VMware%20NSX&release=4.2.3.1&os=&servicePk=&language=EN
https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/release-notes/vmware-nsx-4231-release-notes.html
VMware NSX 4.2.2.2
Downloads and Documentation:
https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20NSX&displayGroup=VMware%20NSX&release=4.2.2.2&os=&servicePk=&language=EN
https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/release-notes/vmware-nsx-4222-release-notes.html
VMware NSX 4.1.2.7
Downloads and Documentation:
https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20NSX&displayGroup=VMware%20NSX&release=4.1.2.7&os=&servicePk=&language=EN
https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-1/release-notes/vmware-nsx-4127-release-notes.html
VMware NSX-T 3.2.4.3
Downloads and Documentation
https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20NSX-T%20Data%20Center&displayGroup=VMware%20NSX-T%20Data%20Center&release=3.2.4.3&os=&servicePk=&language=EN
https://techdocs.broadcom.com/us/en/vmware-cis/nsx/nsxt-dc/3-2/release-notes/vmware-nsxt-data-center-3243-release-notes.html
Mitre CVE Dictionary Links:
https://www.cve.org/CVERecord?id=CVE-2025-41250
https://www.cve.org/CVERecord?id=CVE-2025-41251
https://www.cve.org/CVERecord?id=CVE-2025-41252
FIRST CVSSv3 Calculator:
CVE-2025-41250: https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
CVE-2025-41251: https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2025-41252: https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5. Change Log:
2025-09-29 VMSA-2025-0016
Initial security advisory.
6. Contact:
E-mail: [email protected]
PGP key
https://knowledge.broadcom.com/external/article/321551
VMware Security Advisories
https://www.broadcom.com/support/vmware-security-advisories
VMware External Vulnerability Response and Remediation Policy
https://www.broadcom.com/support/vmware-services/security-response
VMware Lifecycle Support Phases
https://support.broadcom.com/group/ecx/productlifecycle
VMware Security Blog
https://blogs.vmware.com/security
X
https://x.com/VMwareSRC
Copyright 2025 Broadcom. All rights reserved.