VMware NSX XSS Vulnerability Allows Attackers to Inject Malicious Code

Multiple Cross-Site Scripting (XSS) vulnerabilities in the VMware NSX network virtualization platform could allow malicious actors to inject and execute harmful code. 

The security bulletin published on June 4, 2025, details three distinct vulnerabilities affecting VMware NSX Manager UI, gateway firewall, and router port components, with CVSS base scores ranging from 5.9 to 7.5.

CVE-2025-22243: Stored XSS Vulnerability in NSX Manager UI

The CVE-2025-22243 vulnerability represents a critical stored Cross-Site Scripting (XSS) flaw in VMware NSX Manager’s user interface (UI), scoring a CVSSv3 base score of 7.5 (Important severity). 

The issue stems from improper input validation in network configuration fields, allowing persistent injection of malicious JavaScript payloads. 

This vulnerability impacts all VMware NSX versions 4.0.x through 4.2.x, as well as dependent platforms like VMware Cloud Foundation and Telco Cloud Infrastructure.

An attacker with administrative privileges to modify network settings could embed malicious scripts in fields such as DNS names or IP address descriptions. 

These payloads execute automatically when legitimate administrators view the compromised configurations through the NSX Manager UI. 

The attack leverages the privilege escalation risk inherent in management interfaces, as the injected code operates within the victim’s session context, potentially enabling credential theft or lateral movement.

CVE-2025-22244: Stored XSS in Gateway Firewall Response Pages

CVE-2025-22244 affects NSX’s gateway firewall URL filtering component, carrying a CVSSv3 score of 6.9 (Moderate severity). 

The vulnerability allows malicious actors to inject scripts into custom response pages shown when users attempt to access blocked websites. This impacts NSX 4.0.x–4.2.x and dependent cloud platforms.

Attackers with gateway firewall configuration privileges can modify HTML templates for block pages to include

When users encounter these pages, their browsers execute the embedded code in the context of the NSX UI domain, enabling session hijacking or phishing attacks.

CVE-2025-22245: Stored XSS in Router Port Configurations

The CVE-2025-22245 vulnerability (CVSSv3: 5.9, Moderate) resides in NSX’s router port management interface. 

Improper sanitization of port description fields enables script injection, affecting NSX 4.0.x–4.2.x deployments and integrated cloud platforms. Malicious actors with router port modification rights can insert JavaScript into description metadata. 

The payload triggers when other users view or edit the compromised port configurations, potentially intercepting network traffic data or altering routing tables. All three vulnerabilities share common root causes in inadequate input sanitization and privileged access requirements.

Patches Available 

VMware has released comprehensive patches addressing all three vulnerabilities across affected product lines. 

For VMware NSX deployments, users should immediately upgrade to version 4.2.2.1 for 4.2.x installations, 4.2.1.4 for 4.2.1.x versions, or 4.1.2.6 for both 4.1.x and 4.0.x deployments. 

Notably, VMware has discontinued support for 4.0.x versions, recommending migration to the 4.1.2.6 patch release. VMware Cloud Foundation environments require asynchronous patching to the corresponding NSX versions.

The patching process varies by Cloud Foundation version, with 5.2.x requiring NSX 4.2.2.1 and earlier versions requiring NSX 4.1.2.6.

VMware has confirmed that no workarounds exist for these vulnerabilities, making immediate patching the only effective mitigation strategy. 

Organizations should prioritize these updates, given the potential for privilege escalation and the persistent nature of stored cross-site scripting (XSS) attacks in network management interfaces.

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests