A set of substantial security updates for VMware NSX and vCenter has been released by Broadcom, addressing multiple high-severity vulnerabilities that could expose enterprise systems to cyberattacks.
The flaws, disclosed in the latest VMware vCenter and NSX updates, address multiple vulnerabilities (CVE-2025-41250, CVE-2025-41251, CVE-2025-41252), that were reported by the US National Security Agency and independent security researchers.
They affect several Broadcom products, including VMware Cloud Foundation, NSX-T and VMware Telco Cloud Platform.
One of the most severe issues, tracked as CVE-2025-41250, is an SMTP header injection bug in vCenter. With a CVSSv3 base score of 8.5, it allows attackers with non-administrative privileges to modify email notifications associated with scheduled tasks. Broadcom said no workarounds are available and users should apply the fixed versions immediately.
Two other flaws in VMware NSX, CVE-2025-41251 and CVE-2025-41252, stem from weaknesses in the authentication process. Both enable unauthenticated attackers to enumerate valid usernames, a step that could support brute-force or unauthorized login attempts.
“Based on the information at hand, these vulnerabilities might be combined to create a viable attack path from unauthenticated reconnaissance to authenticated compromise,” said Mayuresh Dani, security research manager at Qualys Threat Research Unit.
“Once authenticated (considering limited privileges), threat actors will exploit the vCenter SMTP header injection to potentially redirect sensitive communication and escalate their privileges.”
The vulnerabilities are classified as “High” with CVSS scores ranging from 7.5 to 8.5. The weaknesses affect a wide span of VMware infrastructure solutions used in enterprise and telecom environments.
According to the Broadcom advisory, the following products are impacted:
-
VMware NSX
-
NSX-T
-
VMware Cloud Foundation
-
VMware vCenter Server
-
VMware Telco Cloud Platform
-
VMware Telco Cloud Infrastructure
“The two NSX bugs allow unauthenticated users to confirm which usernames exist on a system,” explained Jason Soroko, senior fellow at Sectigo.
“Even without direct code execution, these kinds of flaws are attractive building blocks that adversaries combine with weak or reused credentials to pivot deeper, which helps explain why an intelligence agency would flag them despite High, rather than Critical, ratings.”
Broader Disclosure
Alongside these patches, Broadcom also revealed three other vulnerabilities in VMware Aria Operations and VMware Tools.
These flaws (CVE-2025-41244, CVE-2025-41245, CVE-2025-41246) could allow attackers to escalate privileges to root, steal credentials or access guest VMs.
“The last time the NSA reported VMware vulnerabilities was when Russian state-sponsored actors were actively exploiting them,” Dani noted, referencing CVE-2020-4006.
“This suggests the agency may have intelligence indicating potential exploitation interest from nation-state actors.”
At the time of publication, Soroko clarified: “There is no public confirmation that the NSX username enumeration bugs or the vCenter SMTP header injection were exploited in the wild.”
Still, administrators are urged to update affected systems as soon as possible to mitigate risks. Fixed versions and documentation are available through Broadcom’s support site.
Image credit: CryptoFX / Shutterstock.com