Analysis Summary

In June 2025, VMware disclosed three critical stored Cross-Site Scripting (XSS) vulnerabilities affecting its NSX network virtualization platform, with severity ratings ranging from moderate to high. These flaws impact NSX versions 4.0. x through 4.2. x and related platforms like VMware Cloud Foundation and Telco Cloud Infrastructure. The vulnerabilities arise from improper input validation and sanitization in key NSX components, allowing attackers with certain privileged access to inject malicious JavaScript payloads that execute within the context of legitimate administrative sessions.

The most severe vulnerability, CVE-2025-22243, affects the NSX Manager UI’s network configuration fields, where administrators can unknowingly trigger persistent script execution embedded by a privileged attacker. This stored XSS flaw allows malicious scripts in fields such as DNS names or IP descriptions, potentially enabling credential theft, session hijacking, or lateral movement within the management interface. Given that attackers must already have administrative rights to exploit this, the issue highlights the high-risk consequences of privilege escalation in NSX management environments.

Two additional vulnerabilities, CVE-2025-22244 and CVE-2025-22245, impact the gateway firewall’s custom response pages and the router port configuration fields, respectively. CVE-2025-22244 permits injection of scripts into HTML block pages, putting end-users at risk of session hijacking and phishing attacks when they encounter firewall-generated “blocked site” responses. Meanwhile, CVE-2025-22245 targets router port descriptions, enabling malicious payloads to execute when other users view or edit those settings, potentially compromising network traffic data and routing integrity. Both require configuration privileges and stem from insufficient input sanitization.

VMware has released patches for all affected NSX versions, urging immediate upgrades to NSX 4.2.2.1, 4.2.1.4, or 4.1.2.6, depending on the deployment. VMware Cloud Foundation users must apply asynchronous patching corresponding to their NSX versions. Since no effective workarounds exist, organizations must prioritize patch deployment to prevent exploitation, given the persistent nature of these stored XSS vulnerabilities and their potential to facilitate privilege escalation, session compromise, and broader network impact in critical infrastructure environments.

Impact

• Sensitive Credentials Theft
• Cross-site Scripting
• Privilege Escalation

Indicators of Compromise

CVE

• CVE-2025-22243

• CVE-2025-22244

• CVE-2025-22245

Affected Vendors

Remediation

• Refer to the VMware Security Advisory for patch, upgrade, or suggested workaround information.
• Immediately upgrade VMware NSX to the following patched versions based on your deployment:vNSX 4.2.x: Upgrade to 4.2.2.1, NSX 4.2.1.x: Upgrade to 4.2.1.4, and NSX 4.1. x and 4.0.x: Upgrade to 4.1.2.6 (note: support for 4.0.x is discontinued, migration recommended).
• For VMware Cloud Foundation environments, apply asynchronous patching corresponding to the NSX version in use: Cloud Foundation 5.2. x requires NSX 4.2.2.1, and Earlier Cloud Foundation versions require NSX 4.1.2.6.
• Prioritize patching as no effective workarounds exist for these vulnerabilities.
• Review and restrict administrative privileges to minimize risk exposure, since exploitation requires privileged access.
• Monitor NSX management interfaces and network components for unusual activity indicative of exploitation attempts.