VMware Security Patch Includes NATO-Watched Zero-Day Exploit

https://www.securityweek.com



VMware Urges Immediate Updates for Critical Cloud and Virtualization Vulnerabilities

Broadcom-owned VMware issued urgent security advisories this week addressing seven high-impact vulnerabilities across its enterprise product suite, including VMware Cloud Foundation, ESXi, vCenter Server, Workstation, and Fusion. The company is strongly urging customers to patch immediately, as no temporary mitigations are available.


 Critical Cloud Foundation Vulnerabilities (VMSA-2025-0009)

The most pressing advisory comes under VMSA-2025-0009, which details three vulnerabilities discovered in VMware Cloud Foundation. These issues were responsibly disclosed by the NATO Cyber Security Centre and include:

  • CVE-2025-41229Directory Traversal (CVSS 8.2):
    An attacker with access to port 443 could exploit this to reach internal services.

  • CVE-2025-41230Information Disclosure (CVSS 7.5)

  • CVE-2025-41231Missing Authorization (CVSS 7.3)

VMware Cloud Foundation, often used to deploy and manage private clouds, is directly at risk. The company is urging all customers to upgrade to version 5.2.1.2 without delay.

“A malicious actor with network access to port 443 on VMware Cloud Foundation may exploit this issue to access certain internal services,” VMware warned.

Additional Virtualization Flaws (VMSA-2025-0010)

A second advisory, VMSA-2025-0010, addresses four more vulnerabilities affecting:

  • VMware ESXi

  • vCenter Server

  • Workstation

  • Fusion

The most severe among these is:

  • CVE-2025-41225Authenticated Command Execution in vCenter (CVSS 8.8):
    Exploitable by users with permission to create or modify alarms, allowing arbitrary command execution on the management plane.

Additional issues include:

  • Two Denial-of-Service (DoS) vulnerabilities (CVSS 6.8 and 5.5)

  • One Reflected Cross-Site Scripting (XSS) flaw (CVSS 4.3)

Again, VMware provides no workarounds, with patching as the only remediation path.

Source https://www.securityweek.com

By at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

VMware Security Patch Includes NATO-Watched Zero-Day Exploit

https://www.securityweek.com VMware Urges Immediate Updates for Critical Cloud and Virtualization Vulnerabilities Broadcom-owned VMware is...