VMware has disclosed critical security vulnerabilities in vCenter Server and NSX platforms that could allow attackers to enumerate valid usernames and manipulate system notifications.
The vulnerabilities, tracked as CVE-2025-41250, CVE-2025-41251, and CVE-2025-41252, affect multiple VMware products, including Cloud Foundation, vSphere Foundation, NSX, NSX-T, and Telco Cloud platforms.
Broadcom, which acquired VMware, released a security advisory on September 29, 2025, rating the vulnerabilities with CVSS base scores ranging from 7.5 to 8.5, classifying them as “Important” severity.
The National Security Agency (NSA) reported two of the three vulnerabilities, highlighting their potential national security implications.
The first vulnerability, CVE-2025-41250, is an SMTP header injection flaw in VMware vCenter Server with a CVSS score of 8.5.
This vulnerability enables malicious actors with non-administrative privileges who have permission to create scheduled tasks to manipulate notification emails sent for those tasks.
The attack vector requires authenticated access to vCenter with task creation permissions. By exploiting SMTP header injection techniques, attackers can modify email headers, potentially redirecting notifications, inserting malicious content, or bypassing email security filters.
This could lead to social engineering attacks, credential harvesting, or unauthorized disclosure of information through manipulated email communications.
Affected products include vCenter Server versions 7.0, 8.0, and 9.x across various VMware Cloud Foundation and vSphere Foundation deployments.
The vulnerability impacts VMware Telco Cloud Platform versions 2.x through 5.x and Telco Cloud Infrastructure versions 2.x and 3.x.
Per von Zweigbergk receives acknowledgment for responsibly disclosing this vulnerability to Broadcom. No workarounds are available, requiring organizations to apply the provided security patches immediately.
NSX Username Enumeration Vulnerabilities
Two separate username enumeration vulnerabilities affect NSX platforms, creating pathways for reconnaissance attacks.
CVE-2025-41251, with a CVSS score of 8.1, represents a weak password recovery mechanism vulnerability allowing unauthenticated attackers to enumerate valid usernames through password recovery processes.
CVE-2025-41252, scoring 7.5 on the CVSS scale, is a direct username enumeration vulnerability that permits unauthenticated malicious actors to identify valid usernames without requiring authentication.
Both vulnerabilities can serve as reconnaissance tools for subsequent brute-force attacks or targeted credential stuffing campaigns.
Username enumeration attacks typically exploit differences in application responses when processing valid versus invalid usernames.
Attackers can analyze response times, error messages, HTTP status codes, or other behavioral patterns to determine which usernames exist in the system.
This information becomes valuable for password spraying attacks, social engineering campaigns, or targeted phishing attempts.
The NSX vulnerabilities affect VMware NSX versions 4.0.x through 4.2.x, NSX-T version 3.x, and NSX components within Cloud Foundation and Telco Cloud platforms.
Organizations running these platforms face immediate exposure to reconnaissance attacks that could facilitate broader compromise attempts.
Security patches are available through various fixed versions, including NSX 4.2.2.2, 4.2.3.1, 4.1.2.7, and NSX-T 3.2.4.3.
| CVE | Title | CVSS 3.1 Score | Severity |
| CVE-2025-41250 | vCenter SMTP Header Injection Vulnerability | 8.5 | Important |
| CVE-2025-41251 | NSX Weak Password Recovery Mechanism Vulnerability | 8.1 | Important |
| CVE-2025-41252 | NSX Username Enumeration Vulnerability | 7.5 | Important |
VMware Cloud Foundation users should implement asynchronous patching procedures documented in KB88287. Meanwhile, Telco Cloud Platform and Infrastructure users should refer to KB411518 for update guidance.
The NSA’s involvement in reporting these vulnerabilities underscores their significance for enterprise and government environments where VMware infrastructure provides critical virtualization and networking services.
Broadcom has already released patches that organizations should prioritize to address these vulnerabilities, as username enumeration could enable more sophisticated attack campaigns targeting virtualized infrastructure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
