Broadcom released VMSA-2025-0016 to address three key vulnerabilities affecting VMware vCenter Server and NSX products.
The vulnerabilities include an SMTP header injection in vCenter (CVE-2025-41250) and two distinct username enumeration flaws in NSX (CVE-2025-41251 and CVE-2025-41252).
All three are rated in the Important severity range with CVSSv3 scores between 7.5 and 8.5.
| CVE ID | Description | CVSSv3 | Affected Products |
| CVE-2025-41250 | vCenter SMTP header injection | 8.5 | vCenter Server, Cloud Foundation, Telco Cloud |
| CVE-2025-41251 | NSX weak password recovery mechanism allows enumeration | 8.1 | NSX, NSX-T, Cloud Foundation, Telco Cloud |
| CVE-2025-41252 | NSX username enumeration via login response timing | 7.5 | NSX, NSX-T, Cloud Foundation, Telco Cloud |
The vCenter SMTP header injection (CVE-2025-41250) allows any user with permission to create scheduled tasks to manipulate notification emails.
Although it does not grant direct data access, attackers could send crafted emails or harvest internal address information.
Broadcom assigns a maximum CVSSv3 score of 8.5 for network-accessible, low-complexity exploitation with elevated impacts on integrity.
More concerning are the NSX flaws. CVE-2025-41251 exploits a weak password recovery mechanism to verify valid usernames without authentication.
CVE-2025-41252 leverages subtle differences in login responses to list user accounts. In both cases, an unauthenticated attacker can feed usernames into the recovery or authentication interface and determine which exist, greatly simplifying targeted attacks.
Broadcom credits Per von Zweigbergk and the U.S. National Security Agency for responsibly reporting these issues.
No workarounds exist aside from applying vendor patches immediately. Affected organizations should prioritize updates, as both NSX enumeration flaws can be chained with automated tools to build user lists within minutes.
All supported VMware Cloud Foundation, vSphere, vCenter Server and Telco Cloud releases have fixed versions available.
Download links and detailed response matrices are provided in the official advisory. Administrators should follow asynchronous patching guides or in-place upgrades according to their deployment.
Staying ahead of enumeration attacks is critical. Valid usernames reveal half the information cybercriminals need. Combined with phishing or password-spraying, these flaws could lead to broader network compromise.
By patching promptly and monitoring authentication logs for unusual recovery requests, organizations can reduce their risk.
Administrators must review the Response Matrix in VMSA-2025-0016 and apply patches without delay.
Ensure email notifications, recovery workflows and login endpoints are updated to block unauthorized probes. For more details, consult the official VMware Security Advisories page.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
