Vulnerability Management, Patch/Configuration Management, Exposure management

Broadcom fixes three high-severity VMware bugs

VMware logo close up on website page

Broadcom on Sept. 29 fixed three high-severity bugs in its VMware products after being advised of the flaws by the National Security Agency (NSA).

Security pros said the notification from NSA indicates that these vulnerabilities involve some national security implications.

“The last time the NSA reported VMware flaws was when Russian state-sponsored actors were actively exploiting them,” said Mayuresh Dani, security research manager at the Qualys Threat Research Unit. “It was CVE-2020-4006, [a critical bug] affecting VMware Workspace One Access in 2020. This suggests the agency may have intelligence indicating potential exploitation interest from nation-state actors.”

The most recent flaws include CVE-2025-41250 (vCenter Server), CVE-2025-41251 (VMware NSX), and CVE-2025-41252 (VMware NSX) and affected all of the following products: VMware NSX, NSX-T, VMware Cloud Foundation, VMware vCenter Server, VMware Telco Cloud Platform, and VMware Telco Cloud Infrastructure.

“The two NSX bugs let unauthenticated users confirm which usernames exist on a system,” said Jason Soroko, senior fellow at Sectigo. “Even without direct code execution, these kinds of flaws are attractive building blocks that adversaries combine with weak or reused credentials to pivot deeper, which helps explain why an intelligence agency would flag them despite high, rather than critical, ratings.”

To Soroko's knowledge, there’s no public confirmation that the NSX username enumeration bugs or the vCenter SMTP header injection were exploited in the wild.

Mayuresh Dani, security research manager at the Qualys Threat Research Unit, added that based on the information available, these vulnerabilities might be combined to create a viable attack path from unauthenticated reconnaissance to authenticated compromise.

Initial compromise is possible via CVE-2025-41251 and CVE-2025-41252, said Dani, as both NSX vulnerabilities enable unauthenticated username enumeration, only to conduct credential-based attacks. Once authenticated — considering limited privileges — threat actors will exploit the vCenter SMTP header injection to potentially redirect sensitive communication and escalate their privileges.

Dani said even though there’s no threat intelligence around these vulnerabilities being exploited, organizations should do the following:

  • Immediately audit and patch all affected VMware products.
  • Implement email security controls to detect manipulated SMTP headers.
  • Bring in network segmentation to limit NSX management interface exposure and monitor for user enumeration attempts.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds