Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do
better than you.
On September 29, 2025, Broadcom released security advisory VMSA-2025-0016 , addressing three vulnerabilities identified in VMware vCenter and VMware NSX products. The bugs affect several solutions in the VMware ecosystem and have a severity rating of High , with a CVSSv3 score between 7.5 and 8.5 .
The vulnerabilities affect the following components and platforms:
The identified vulnerabilities are classified as CVE-2025-41250, CVE-2025-41251 and CVE-2025-41252 .
CVE-2025-41250 – SMTP Header Injection in vCenter
A weakness in VMware vCenter allows SMTP header injection. A user with non-administrative privileges, but authorized to create scheduled tasks, could manipulate notification emails sent by the system. The vulnerability has a maximum CVSS score of 8.5 .
CVE-2025-41251 – Weak password recovery mechanism in NSX
VMware NSX has a flaw in its password recovery system. An unauthenticated attacker could exploit this to enumerate valid usernames, opening the way for brute-force attacks. The issue has been rated with a maximum score of 8.1 .
CVE-2025-41252 – Username Enumeration in NSX
An additional vulnerability in VMware NSX allows an unauthenticated user to enumerate valid accounts, increasing the risk of unauthorized access attempts. The vulnerability has been rated with a maximum criticality score of 7.5 .
Broadcom recommends applying the provided patches immediately for all affected distributions. There are no workarounds or temporary mitigations currently planned.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
