NSA-Reported VMware Flaws Patched by Broadcom
▼ Summary
– Broadcom has patched two high-severity VMware NSX vulnerabilities (CVE-2025-41251 and CVE-2025-41252) reported by the NSA, which allow unauthenticated attackers to enumerate valid usernames.
– The first vulnerability (CVE-2025-41251) stems from a weakness in the password recovery mechanism, potentially enabling brute-force attacks using the enumerated usernames.
– Broadcom also fixed a high-severity SMTP header injection flaw (CVE-2025-41250) in VMware vCenter that lets non-administrative users manipulate scheduled task notification emails.
– Additional vulnerabilities were patched in VMware Aria Operations and VMware Tools (CVE-2025-41244, CVE-2025-41245, CVE-2025-41246), which could lead to privilege escalation, credential theft, and unauthorized VM access.
– VMware products are frequently targeted by state-sponsored hackers and cybercrime groups due to their widespread use in enterprises for handling sensitive corporate data.
Broadcom has issued critical security updates to address two significant vulnerabilities discovered in VMware NSX by the U.S. National Security Agency. These patches are essential for organizations relying on VMware’s networking virtualization platform to protect their private and hybrid cloud environments from potential cyberattacks. The first vulnerability, identified as CVE-2025-41251, stems from a weakness in the password recovery mechanism, allowing unauthenticated attackers to enumerate valid usernames. This information could be leveraged in subsequent brute-force attacks to gain unauthorized access.
The second issue, CVE-2025-41252, is a username enumeration flaw that similarly enables threat actors to identify legitimate usernames without authentication. Both vulnerabilities pose a serious risk, as they could facilitate unauthorized access attempts against affected systems. Broadcom publicly acknowledged the NSA for bringing these security gaps to their attention in a recent advisory.
In a separate but related development, the company also resolved a high-severity SMTP header injection vulnerability in VMware vCenter, cataloged as CVE-2025-41250. This flaw could be exploited by attackers holding non-administrative privileges who have permission to create scheduled tasks, allowing them to manipulate notification emails associated with those tasks.
Additionally, Broadcom released another advisory detailing three further security flaws in VMware Aria Operations and VMware Tools, designated CVE-2025-41244, CVE-2025-41245, and CVE-2025-41246. These vulnerabilities could permit attackers to escalate their privileges to root level, steal credentials from other users, and gain unauthorized access to other guest virtual machines.
This recent patching activity follows earlier efforts by Broadcom to secure its products. Earlier this year, the company addressed four vulnerabilities in VMware ESXi, Workstation, Fusion, and Tools. These flaws were initially revealed and exploited as zero-day vulnerabilities during the Pwn2Own Berlin 2025 hacking competition. Prior to that, Broadcom fixed three other actively exploited zero-day vulnerabilities in VMware, which had been reported by the Microsoft Threat Intelligence Center.
VMware’s software is a frequent target for both state-sponsored hacking groups and cybercriminal organizations, including ransomware operators. The widespread corporate use of VMware products for handling and storing sensitive data makes them attractive targets for exploitation. For example, late last year attackers began leveraging two VMware vCenter Server vulnerabilities, a privilege escalation flaw and a critical remote code execution vulnerability, that were first disclosed at a Chinese hacking contest.
In a previous incident from early 2024, Chinese state-linked hackers were associated with attacks exploiting a critical vCenter Server zero-day vulnerability. This campaign, which had been ongoing since late 2021, resulted in the installation of VirtualPita and VirtualPie backdoors on compromised ESXi systems, highlighting the persistent and sophisticated threats facing virtualized infrastructure.
(Source: Bleeping Computer)
