Analysis Summary

Broadcom’s VMware division has disclosed four newly identified vulnerabilities affecting several of its core virtualization products, most notably VMware vCenter Server, ESXi, Workstation, and Fusion. The most critical of these is CVE-2025-41225, an authenticated command execution flaw in vCenter Server, rated with a CVSS score of 8.8. This vulnerability allows users with permissions to create or modify alarms and run script actions to execute arbitrary commands on the vCenter Server. Given vCenter’s role in managing virtual infrastructure, exploitation could lead to full compromise of enterprise virtualization environments. VMware has emphasized the urgency of patching this issue immediately to avoid potential exploitation.

The advisory also includes three other vulnerabilities with severity ratings ranging from Moderate to Important. CVE-2025-41226 is a denial-of-service vulnerability in ESXi, which can be triggered by attackers with guest OS privileges during guest operations. CVE-2025-41227 affects Workstation, Fusion, and ESXi, allowing non-administrative users inside guest systems to create DoS conditions by exhausting host memory resources. Additionally, CVE-2025-41228 is a reflected cross-site scripting vulnerability in ESXi and vCenter login pages, potentially enabling attackers with network access to steal cookies or redirect users to malicious websites.

These vulnerabilities impact a wide array of VMware products, including ESXi 7.0 and 8.0, vCenter Server 7.0 and 8.0, and VMware Workstation 17.x, Fusion 13.x, VMware Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure. VMware has issued specific patches to mitigate the risks: vCenter Server users should upgrade to 8.0 U3e or 7.0 U3v, while ESXi users should apply patches ESXi80U3se-24659227 or ESXi70U3sv-24723868. Workstation and Fusion users are advised to update to versions 17.6.3 and 13.6.3, respectively. These disclosures follow a pattern of increasing scrutiny on VMware’s security, especially after recent advisories in March and earlier this month, where Broadcom highlighted vulnerabilities in VMware Cloud Foundation and ESXi that enabled unauthorized access and remote code execution. As no workarounds are available for the current set of flaws, immediate patching is essential. Given VMware’s widespread use in enterprise environments, unpatched systems could pose a significant threat to organizational infrastructure, making this advisory critical for all VMware customers.

Impact

• Gain Access
• DoS Conditions
• Cross-site Scripting

Indicators of Compromise

CVE

• CVE-2025-41225

• CVE-2025-41226

• CVE-2025-41227

• CVE-2025-41228

Affected Vendors

Remediation

• Refer to the VMware Security Advisory for patch, upgrade or suggested workaround information.
• Ensure all updates are downloaded directly from VMware’s official site or trusted enterprise repositories.
• Prioritize patching systems exposed to untrusted networks or internet-facing services.
• Review and restrict permissions related to alarm creation and script execution in vCenter Server to minimize exploitation risk.
• Perform regular vulnerability scans and verify that updates have been successfully applied across all systems.
• Monitor system logs for any unusual activity, especially on management interfaces like vCenter and ESXi login pages.