Broadcom has issued advisory VMSA-2025-0016 to address three significant vulnerabilities impacting VMware vCenter Server and NSX products.
These flaws, all rated Important, enable malicious actors to manipulate SMTP headers and enumerate valid usernames, laying the groundwork for targeted attacks such as phishing, password spraying, and lateral movement.
Key Vulnerabilities
VMware’s advisory covers:
| CVE ID | Description | CVSSv3 | Affected Products |
|---|---|---|---|
| CVE-2025-41250 | vCenter SMTP header injection | 8.5 | vCenter Server, Cloud Foundation, Telco Cloud |
| CVE-2025-41251 | NSX weak password recovery mechanism allows enumeration | 8.1 | NSX, NSX-T, Cloud Foundation, Telco Cloud |
| CVE-2025-41252 | NSX username enumeration via login response timing | 7.5 | NSX, NSX-T, Cloud Foundation, Telco Cloud |
CVE-2025-41250:
An attacker with permission to create scheduled tasks in vCenter Server can craft malicious notification emails by manipulating SMTP headers.
While this flaw does not directly expose data, it allows the extraction of internal email addresses and the delivery of spoofed messages.
Broadcom assigns a CVSSv3 base score of 8.5 for low-complexity, network-accessible exploitation with high integrity impact.
CVE-2025-41251:
This weakness in NSX’s password recovery workflow permits unauthenticated attackers to verify the existence of usernames.
By systematically submitting email addresses or usernames to the recovery endpoint, adversaries receive binary feedback on account validity.
The flaw, with a CVSSv3 score of 8.1, drastically simplifies the reconnaissance phase of targeted attacks.
CVE-2025-41252:
Subtle differences in NSX login response times enable attackers to infer valid usernames.
Automated tools can rapidly probe the authentication interface, differentiating error responses for valid versus invalid accounts.
Although rated slightly lower at 7.5, this vulnerability is equally concerning due to its rapid enumeration potential.
Broadcom credits Per von Zweigbergk and the U.S. National Security Agency for the responsible disclosure of these flaws.
No workarounds exist beyond patching.
Organizations should apply the patches included in VMSA-2025-0016 without delay.
All supported releases of VMware Cloud Foundation, vSphere, vCenter Server, and Telco Cloud have updated versions available.
Administrators can choose between asynchronous patching for Cloud Foundation or in-place upgrades for on-premises deployments.
- Follow the Response Matrix in the official advisory to identify fixed versions.
- Monitor authentication and recovery logs for abnormal request patterns.
- Validate scheduled-task permissions and restrict them to essential administrative users only.
- Review SMTP notification configurations to ensure headers cannot be externally modified.
Username enumeration attacks reveal half of an account compromise strategy.
When combined with social engineering or brute-force methods, these vulnerabilities can quickly lead to broader network infiltration.
Promptly applying patches and tightening access controls is critical to thwart enumeration threats in VMware environments.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=These flaws, all rated Important, enable malicious actors to manipulate SMTP headers and enumerate valid usernames, laying the groundwork){kind=link}