Broadcom (VMware) has just released VMSA-2025-0010, a security advisory detailing multiple vulnerabilities across vCenter Server, ESXi, Workstation, and Fusion. While not all of them are critical, one vulnerability in particular stands out due to its potential for authenticated command execution, warranting immediate action from IT teams.
Let’s break down the impact, affected components, and what you should do next.
Summary of the Key Vulnerabilities
1. CVE-2025-41225 – Authenticated Command Execution in vCenter Server
- CVSSv3 Score: 8.8 (High)
- Impact: An authenticated user with permission to create or modify alarms and run scripts can execute arbitrary commands on the vCenter Server.
- Risk: If exploited, this could allow attackers to gain control of the underlying server, a major concern for enterprise environments.
2. CVE-2025-41226 – Guest Operations Denial-of-Service in ESXi
- CVSSv3 Score: 6.8 (Moderate)
- Impact: Attackers with guest operation privileges can exploit this to crash guest VMs using VMware Tools and guest operations APIs.
3. CVE-2025-41227 – Memory Exhaustion DoS in ESXi/Workstation/Fusion
- CVSSv3 Score: 5.5 (Moderate)
- Impact: A user inside a VM can exhaust memory of the host process, leading to a denial-of-service of other running VMs or services.
4. CVE-2025-41228 – Reflected XSS in ESXi and vCenter Server
- CVSSv3 Score: 4.3 (Low)
- Impact: Could allow a remote attacker to redirect users or steal cookies if they access specially crafted URLs.
Affected VMware Products
| Product | Affected Version(s) | Fixed Version |
|---|---|---|
| vCenter Server | Various 7.x and 8.x builds | 7.0 U3x and 8.0 U2x (latest patch) |
| ESXi | 6.7, 7.0, 8.0 | Update to fixed versions per advisory |
| Workstation Pro | Pre-17.5.x | 17.5.2 or later |
| Fusion | Pre-13.5.x | 13.5.2 or later |
| Cloud Foundation, Telco Cloud | Multiple versions | Refer to Broadcom advisory matrix |
Why This Matters
While the Denial-of-Service and XSS issues pose moderate threats, the vCenter authenticated command execution flaw (CVE-2025-41225) is the most urgent. It essentially gives privileged users the ability to run arbitrary system-level commands on one of the most critical infrastructure components.
This could be exploited by:
- Malicious insiders
- Compromised accounts via phishing
- Automated attacks leveraging misconfigured roles
What You Should Do Right Now
- Patch Immediately: Upgrade to the fixed versions listed in the official advisory.