VMware Publishes Advisory VMSA-2025-0016: Patches for “Important” Vulnerabilities in vCenter and NSX (CVE-2025-41250/41251/41252)

Broadcom (owner of VMware) has issued the VMSA-2025-0016 security advisory dated September 29, 2025. The bulletin confirms three vulnerabilities affecting VMware vCenter Server and VMware NSX/NSX-T, classified as “Important” severity with a CVSSv3 range of 7.5 to 8.5. The company has published updates for the impacted products and recommends applying patches immediately. No workarounds are documented.

The included CVE entries are:

• CVE-2025-41250 — SMTP header injection in vCenter.
• CVE-2025-41251 — Weak password recovery mechanism in NSX.
• CVE-2025-41252 — User enumeration in NSX.

This advisory applies to VMware Cloud Foundation environments, vCenter Server (versions 7.0 and 8.0), NSX/NSX-T, as well as VMware Telco Cloud Platform and Infrastructure platforms. Below, an overview of what is known, operational impact, and the available patches.

What has been discovered and how could it be exploited

1) vCenter: SMTP header injection (CVE-2025-41250 — CVSS 8.5)

Description. vCenter contains a SMTP header injection vulnerability. According to Broadcom, an actor with non-administrative privileges, but with permission to create scheduled tasks, could manipulate the notification emails associated with those tasks.

Practical risk. Exploiting this could allow altering senders/recipients, injecting content, or redirecting critical notifications (e.g., backup alerts, task failures, or operational events). In the worst case, this facilitates internal phishing or information exfiltration through trusted email channels.

Credits. Broadcom thanks Per von Zweigbergk for reporting.

Workaround. There are no official temporary mitigations. The remediation involves patching.

2) NSX: weak password recovery mechanism (CVE-2025-41251 — CVSS 8.1)

Description. VMware NSX exhibited a weak mechanism in password recovery that could be exploited by an unauthenticated attacker to enumerate valid usernames, aiding brute-force attacks or intrusion attempts.

Credits. The vulnerability has been reported by the National Security Agency (NSA) of the U.S.

Workaround. There is no official temporary mitigation. Update to the fixed versions listed in the response matrix.

3) NSX: user enumeration (CVE-2025-41252 — CVSS 7.5)

Description. NSX contained another user enumeration vector, which, like the previous one, could be exploited without authentication to obtain lists of valid accounts, increasing the attack surface for unauthorized access attempts.

Credits. Also reported by the NSA.

Workaround. There is no temporary mitigation. Patch required.

Affected products and versions

The advisory mentions, among others:

• VMware vCenter Server (7.0 and 8.0).
• VMware NSX (lines 9.x, 4.2.x, 4.1.x, 4.0.x) and NSX-T 3.x.
• VMware Cloud Foundation (9.x, 5.x, 4.5.x).
• VMware vSphere Foundation (9.x).
• VMware Telco Cloud Platform (5.x, 4.x, 3.x, 2.x) and Telco Cloud Infrastructure (3.x, 2.x).

Broadcom has published patches for each supported branch. No workarounds are offered: patching is the only remediation method.

Summary of fixed versions (operational overview)

For CVE-2025-41250 (vCenter — SMTP header injection)

• vCenter 8.0 → 8.0 U3g.
• vCenter 7.0 → 7.0 U3w.
• vCenter (in vSphere/Cloud Foundation 9) → 9.0.1.0.
• Cloud Foundation 5.x (vCenter component) → 5.2.2 (see KB88287 for async patching).
• Cloud Foundation 4.5.x → async patch to vCenter 7.0 U3w (see KB88287).
• Telco Cloud Platform / Telco Cloud Infrastructure (vCenter 5.x/4.x/3.x/2.x and 3.x/2.x) → version KB411508.

For CVE-2025-41251 and CVE-2025-41252 (NSX — weak password recovery and user enumeration)

• NSX 9.x (incl. vSphere/Cloud Foundation 9) → 9.0.1.0.
• NSX 4.2.x → 4.2.2.2 or 4.2.3.1.
• NSX 4.1.x / 4.0.x → 4.1.2.7.
• NSX-T 3.x → 3.2.4.3.
• Cloud Foundation 5.x / 4.5.x (NSX) → version KB88287 (Async Patching Guide).
• Telco Cloud Platform / Telco Cloud Infrastructure (NSX 5.x/4.x/3.x and 3.x/2.x) → KB411518.

Important. The VMSA directs to the official release notes and download pages (vCenter 8.0 U3g, 7.0 U3w, NSX 4.2.3.1, 4.2.2.2, 4.1.2.7, NSX-T 3.2.4.3, VCF 9.0.1.0, and 5.2.2). If your environment is under Cloud Foundation, review KB88287 for the async patching procedure.

What should administrators do (priorities and action plan)

1. Quick inventory.
   • Identify all instances of vCenter (7.0/8.0/9.x) and NSX/NSX-T in the environment (including Telco and Cloud Foundation environments).
   • Record exact version and dependencies (plugins, notification solutions, backup integrations).
2. Assess exposure and risk.
   • For vCenter: check who has permission to create scheduled tasks and where they send notifications. If there are accounts with excessive permissions or external recipients, review.
   • For NSX: determine if the management interface is accessible from untrusted segments. User enumeration by unauthenticated actors indicates risk if that surface is not isolated.
3. Plan patching.
   • Schedule maintenance windows and take snapshots/backups of appliances before updating.
   • In Cloud Foundation, follow the async process (see KB88287).
   • Validate compatibilities (e.g., products dependent on the exact vCenter or NSX version).
4. Apply patches according to the response matrix.
   • vCenter 8.0 → 8.0 U3g; 7.0 → 7.0 U3w; vSphere/VCF 9 → 9.0.1.0.
   • NSX 9.x → 9.0.1.0; 4.2.x → 4.2.2.2 or 4.2.3.1; 4.1/4.0 → 4.1.2.7; NSX-T 3.x → 3.2.4.3.
   • Telco Cloud: follow KB411508 (vCenter) and KB411518 (NSX).
5. Additional hardening (recommended).
   • vCenter: minimize the number of users who create tasks; audit email templates; enable MFA and alerting in SIEM for changes in scheduled tasks.
   • NSX/NSX-T: ensure that the management UI/API is not accessible from the Internet; activate lockout policies and MFA; monitor authentication attempt peaks (possible enumeration); align Password policies with corporate standards.
   • Log any abnormal behavior in SIEM (unusual SMTP notifications, account scans, etc.).
6. Post-patch verification.
   • Confirm target versions (vCenter/NSX).
   • Validate SMTP notifications (format, recipients) and access to NSX Manager.
   • Document the closure of the risk in your internal CVE matrix.

Why does this VMSA deserve priority?

• No temporary mitigation available. Broadcom does not publish workarounds: the only effective solution is updating.
• Low-friction vectors. In vCenter, just a non-admin user with a common permission (creating tasks) can alter emails. In NSX, the unauthenticated attacker can enumerate users, a classic prerequisite for brute-force or password spraying.
• Critical surfaces. vCenter and NSX are control planes: any abuse amplifies impact on compute, network, and segmentation.
• Compliance. Rapid remediation helps align with requirements like NIS2 (EU) or expectations from SEC (US) regarding vulnerability management and disclosure.

References and downloads (as per the VMSA)

• vCenter 8.0 U3g and 7.0 U3w — official download pages and release notes.
• Cloud Foundation 9.0.1.0 / 5.2.2 — downloads and release notes.
• NSX 4.2.3.1 / 4.2.2.2 / 4.1.2.7 and NSX-T 3.2.4.3 — downloads and release notes.
• KB88287 — Async Patching Guide for VCF environments.
• KB411508 / KB411518 — procedures for Telco Cloud.
• Official CVE records (cve.org) for CVE-2025-41250, -41251, and -41252.
• PSIRT contact: [email protected] (with PGP available).

(Full URLs are included in the official VMSA-2025-0016 notice.)

Timeline and status

• Initial release: September 29, 2025 (status: OPEN).
• Severity: Important (CVSS 7.5–8.5).
• Affected products: vCenter / NSX / NSX-T and related suites (Cloud Foundation, Telco Cloud Platform/Infrastructure).
• Workarounds: not available.

Conclusion

The VMSA-2025-0016 is a high operational impact advisory: it affects core components of the VMware stack and no mitigation other than patching is available. To reduce attack surface:

1. Inventory and prioritize based on exposure.
2. Schedule maintenance windows and update to the indicated fixed versions.
3. Harden permissions (tasks in vCenter, authentication policies in NSX).
4. Monitor for signs of enumeration, access attempts, and changes to SMTP notifications.

An early patch application prevents incidents which, at control planes, tend to spread rapidly.

Frequently Asked Questions

What is the real risk of CVE-2025-41250 in vCenter, and how can it be mitigated today?
CVE-2025-41250 allows SMTP header injection in vCenter emails if the attacker lacks admin privileges but can create scheduled tasks. The risk: altering senders/recipients and using notifications as vectors for phishing or exfiltration. The only mitigation is patching (from 8.0 to U3g, from 7.0 to U3w, vSphere/VCF 9 to 9.0.1.0). Additionally, review who can create tasks and audit email templates/recipients.

How do I know if my NSX version is affected by CVE-2025-41251/41252?
If you operate NSX 9.x, 4.2.x, 4.1.x, 4.0.x or NSX-T 3.x, your environment is within scope. The fixed versions are 9.0.1.0, 4.2.2.2/4.2.3.1, 4.1.2.7, and 3.2.4.3 respectively. In Cloud Foundation 5.x / 4.5.x, see KB88287; in Telco environments, consult KB411518. No workarounds are available, so update is necessary.

If I can’t patch today, is there a recommended temporary mitigation from VMware?
The VMSA explicitly states “None”. However, as a defensive hygiene, limit management access (to NSX interfaces), implement MFA/lockouts, monitor enumeration attempts, and review vCenter permissions for scheduled tasks. These measures do not replace patching.

Where can I download vCenter 8.0 U3g / 7.0 U3w and NSX 4.2.3.1 / 4.1.2.7?
Broadcom provides downloads and release notes on its support portal (links referenced in the VMSA-2025-0016). For VCF, review VCF 9.0.1.0, VCF 5.2.2, and the KB88287 guide; for Telco Cloud, see KB411508/KB411518.

Who reported these vulnerabilities?
The vCenter (CVE-2025-41250) issue was reported by Per von Zweigbergk. The two NSX vulnerabilities (CVE-2025-41251/41252) were reported by the National Security Agency (NSA).

Legal notice: this article summarizes the VMSA-2025-0016 published by Broadcom/VMware on September 29, 2025. For patching and compatibility decisions, always refer to the official advisory, release notes, and product documentation.