VMSA-2025-0010 – VMware ESXi, vCenter Server, Workstation, and Fusion – Multiple Vulnerabilities
VMware by Broadcom has released VMware ESXi, vCenter Server, Workstation, and Fusion updates to address multiple vulnerabilities CVE-2025-41225, CVE-2025-41226, CVE-2025-41227, CVE-2025-41228.
Multiple vulnerabilities in ESXi, vCenter Server, and Workstation were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.
Impacted Products
- VMware ESXi
- VMware vCenter Server
- VMware Workstation Pro
- VMware Fusion
- VMware Cloud Foundation
- VMware Telco Cloud Platform
- VMware Telco Cloud Infrastructure
CVE-2025-41225 | VMware vCenter Server authenticated command-execution vulnerability
Description:
The vCenter Server contains an authenticated command-execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8. A malicious actor with privileges to create or modify alarms and run script action may exploit this issue to run arbitrary commands on the vCenter Server.
Resolution:
To remediate CVE-2025-41225 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
CVE-2025-41226 | Guest Operations Denial-of-Service Vulnerability
Description:
VMware ESXi contains a denial-of-service vulnerability that occurs when performing a guest operation. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.8. A malicious actor with guest operation privileges on a VM, who is already authenticated through vCenter Server or ESXi may trigger this issue to create a denial-of-service condition of guest VMs with VMware Tools running and guest operations enabled.
Resolution:
To remediate CVE-2025-41226 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
CVE-2025-41227 | Denial-of-Service Vulnerability
Description:
VMware ESXi, Workstation, and Fusion contain a denial-of-service vulnerability due to certain guest options. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.5. A malicious actor with non-administrative privileges within a guest operating system may be able to exploit this issue by exhausting memory of the host process leading to a denial-of-service condition.
Resolution:
To remediate CVE-2025-41227 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
CVE-2025-41228 | VMware ESXi and vCenter Server Reflected Cross Site Scripting (XSS) Vulnerability
Description:
VMware ESXi and vCenter Server contain a reflected cross-site scripting vulnerability due to improper input validation. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.3. A malicious actor with network access to the login page of certain ESXi host or vCenter Server URL paths may exploit this issue to steal cookies or redirect to malicious websites.
Resolution:
To remediate CVE-2025-41228 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
Response Matrix:
| VMware Product | Version | CVE | Severity | Fixed Version | Workarounds |
|---|---|---|---|---|---|
| vCenter Server | 8.0 | CVE-2025-41225, CVE-2025-41228 | Important | 8.0 U3e | None |
| vCenter Server | 7.0 | CVE-2025-41225 | Important | 7.0 U3v | None |
| VMware ESXi | 8.0 | CVE-2025-41226, CVE-2025-41227, CVE-2025-41228 | Moderate | ESXi80U3se-24659227 | None |
| VMware ESXi | 7.0 | CVE-2025-41226, CVE-2025-41227, CVE-2025-41228 | Moderate | ESXi70U3sv-24723868 | None |
| VMware Cloud Foundation (vCenter) | 5.x | CVE-2025-41225, CVE-2025-41228 | Important | Async patch to 8.0 U3e | None |
| VMware Cloud Foundation (vCenter) | 4.5.x | CVE-2025-41225 | Important | Async patch to 7.0 U3v | None |
| VMware Cloud Foundation (ESXi) | 5.x | CVE-2025-41226, CVE-2025-41227, CVE-2025-41228 | Moderate | Async patch to ESXi80U3se-24659227 | None |
| VMware Cloud Foundation (ESXi) | 4.5.x | CVE-2025-41226, CVE-2025-41227, CVE-2025-41228 | Moderate | Async patch to ESXi70U3sv-24723868 | None |
| VMware Telco Cloud Platform (ESXi) | 5.x, 4.x, 3.x, 2.x | CVE-2025-41226, CVE-2025-41227, CVE-2025-41228 | Moderate | ESXi80U3se-24659227 | None |
| VMware Telco Cloud Infrastructure (ESXi) | 3.x | CVE-2025-41226, CVE-2025-41227, CVE-2025-41228 | Moderate | ESXi80U3se-24659227 | None |
| VMware Telco Cloud Infrastructure (ESXi) | 2.x | CVE-2025-41226, CVE-2025-41227, CVE-2025-41228 | Moderate | ESXi70U3sv-24723868 | None |
| VMware Telco Cloud Platform (vCenter) | 5.x, 4.x, 3.x, 2.x | CVE-2025-41225, CVE-2025-41228 | Important | 8.0 U3e | None |
| VMware Telco Cloud Infrastructure (vCenter) | 3.x | CVE-2025-41225 | Important | 8.0 U3e | None |
| VMware Telco Cloud Infrastructure (vCenter) | 2.x | CVE-2025-41225 | Important | 7.0 U3v | None |
| VMware Workstation | 17.x | CVE-2025-41227 | Moderate | 17.6.3 | None |
| VMware Fusion | 13.x | CVE-2025-41227 | Moderate | 13.6.3 | None |
You can also check my VMware Product Release page for more information regarding released products, release notes, and download links.
Sources:
Broadcom Blog Post
