VMware releases patches for security flaws in multiple virtualization products

VMware has released a security advisory (VMSA-2025-0010) addressing multiple vulnerabilities affecting its core virtualization products: VMware ESXi, vCenter Server, Workstation, Fusion, Cloud Foundation, Telco Cloud Platform, VMware Cloud Foundation, and Telco Cloud Infrastructure. 

Vulnerability summary:

• CVE-2025-41225 (CVSS score 8.8): An authenticated command-execution vulnerability in vCenter Server that allows malicious actors with privileges to create or modify alarms and run script actions to execute arbitrary commands on the vCenter Server. This vulnerability is classified as Important severity.
• CVE-2025-41229 (CVSS score 8.2): A directory traversal vulnerability in VMware Cloud Foundation that could allow unauthorized access to internal services
• CVE-2025-41230 (CVSS score 7.5): An information disclosure vulnerability in VMware Cloud Foundation that could expose sensitive information to attackers with network access to the platform.
• CVE-2025-41231 (CVSS score 7.3): A vulnerability involving missing authorization controls in VMware Cloud Foundation that could allow malicious actors with access to VMware Cloud Foundation appliances to perform unauthorized actions and access sensitive information without proper authentication.
• CVE-2025-41226 (CVSS score 6.8): A denial-of-service vulnerability in ESXi that occurs when performing guest operations. Attackers with guest operation privileges on a VM who are already authenticated through vCenter Server or ESXi may trigger this issue to create a denial-of-service condition affecting guest VMs with VMware Tools running and guest operations enabled.
• CVE-2025-41227 (CVSS score 5.5): A denial-of-service vulnerability in ESXi, Workstation, and Fusion due to certain guest options. Non-administrative users within a guest operating system may exploit this issue by exhausting memory of the host process, leading to a denial-of-service condition.
• CVE-2025-41228 (CVSS score 4.3): A reflected cross-site scripting vulnerability in ESXi and vCenter Server due to improper input validation. Attackers with network access to the login page of certain ESXi host or vCenter Server URL paths may exploit this vulnerability to steal cookies or redirect users to malicious websites.

The advisory notes that attackers targeting CVE-2025-41229 and CVE-2025-41230 only need network access to port 443 on affected VMware Cloud Foundation deployments to potentially exploit these vulnerabilities. This relatively low barrier to entry significantly increases the risk profile, as many organizations expose management interfaces to facilitate remote administration.

VMware has released patches for all affected products via VMSA-2025-0009 and VMSA-2025-0010

For vCenter Server:

• Version 8.0: Update to 8.0 U3e (fixes CVE-2025-41225, CVE-2025-41228)
• Version 7.0: Update to 7.0 U3v (fixes CVE-2025-41225)

For VMware ESXi:

• Version 8.0: Apply patch ESXi80U3se-24659227 (fixes CVE-2025-41226, CVE-2025-41227, CVE-2025-41228)
• Version 7.0: Apply patch ESXi70U3sv-24723868 (fixes CVE-2025-41226, CVE-2025-41227, CVE-2025-41228)

For VMware Workstation and Fusion:

• Workstation 17.x: Update to version 17.6.3 (fixes CVE-2025-41227)
• Fusion 13.x: Update to version 13.6.3 (fixes CVE-2025-41227)

For VMware Cloud Foundation 

• for 5.x installations, administrators should immediately update to version 5.2.1.2.
• for 4.5.x installations should follow the guidance provided in knowledge base article KB398008.

For VMware Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure, specific async patches are available detailed in the advisory. VMware Cloud Foundation customers should consult KB88287 for async patching guidance.

All organizations running affected VMware products are strongly advised to implement the provided patches immediately. No mitigation workarounds are available for these vulnerabilities.