CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

High-Severity VMware NSX Vulnerabilities Patched by Broadcom

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Broadcom has released security updates to address multiple high-severity vulnerabilities in VMware NSX and vCenter, reported by the U.S. National Security Agency (NSA) and independent security researchers. These flaws, CVE-2025-41250, CVE-2025-41251, and CVE-2025-41252, affect the password recovery mechanism, username enumeration, and SMTP header injection, respectively. They can be exploited by unauthenticated attackers to enumerate valid usernames, potentially leading to brute-force attacks or unauthorized access. VMware NSX is a networking virtualization solution within VMware Cloud Foundation, enabling the deployment of traditional and modern applications in private/hybrid clouds. The vulnerabilities highlight the ongoing risk of state-sponsored and cybercriminal exploitation of VMware products. Additionally, Broadcom disclosed three more security flaws in VMware Aria Operations and VMware Tools (CVE-2025-41244, CVE-2025-41245, CVE-2025-41246). These vulnerabilities could allow attackers to escalate privileges to root, steal credentials, or access guest VMs. The NSA's disclosure suggests potential exploitation interest from nation-state actors.

Timeline

  1. 30.09.2025 15:10 2 articles · 8d ago

    Broadcom patches high-severity VMware NSX vulnerabilities

    The vulnerabilities affect VMware Cloud Foundation, NSX-T, VMware Telco Cloud Platform, VMware vCenter Server, and VMware Telco Cloud Infrastructure. The SMTP header injection vulnerability (CVE-2025-41250) allows attackers with non-administrative privileges to modify email notifications associated with scheduled tasks. The vulnerabilities might be combined to create an attack path from unauthenticated reconnaissance to authenticated compromise. The NSA's disclosure suggests potential exploitation interest from nation-state actors.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Remote Code Execution Vulnerability in DrayTek Vigor Routers

DrayTek has disclosed a remote code execution vulnerability in several Vigor router models. The flaw, CVE-2025-10547, allows unauthenticated remote attackers to execute arbitrary code by sending crafted HTTP or HTTPS requests to the Web User Interface (WebUI). Successful exploitation can cause memory corruption and system crashes, potentially leading to remote code execution. The vulnerability affects a wide range of Vigor router models, commonly used in prosumer and SMB environments. DrayTek has released firmware updates to mitigate the risk, and administrators are advised to apply these updates immediately.

Open in new tab

UNC5174 Exploits VMware Zero-Day Privilege Escalation Since October 2024

A China-linked threat actor, UNC5174, has been exploiting a zero-day privilege escalation vulnerability in VMware products since mid-October 2024. The flaw, CVE-2025-41244, affects multiple VMware products and allows local attackers to escalate privileges to root on affected virtual machines. The vulnerability was discovered in May 2025 and patched in VMware Tools 12.4.9 and later versions. The flaw is rooted in the get_version() function, which can be exploited by placing a malicious binary in a writable directory. UNC5174 has been observed using this method to gain elevated access and execute code on compromised systems. The exact payload and nature of the attacks remain unclear. Broadcom has confirmed the patch for the vulnerability in VMware Aria Operations and VMware Tools. NVISO released a proof-of-concept exploit demonstrating privilege escalation on vulnerable VMware software. UNC5174 has been linked to previous attacks on U.S. defense contractors, UK government entities, Asian institutions, and the cybersecurity firm SentinelOne, exploiting vulnerabilities such as F5 BIG-IP CVE-2023-46747 and ConnectWise ScreenConnect flaw. The exploitation of CVE-2025-41244 is considered trivial, potentially benefiting multiple malware strains. NVISO identified the vulnerability in mid-May 2025 during an incident response engagement with UNC5174. Broadcom disclosed three vulnerabilities on September 29, 2025, including CVE-2025-41244. The CVSS severity rating for CVE-2025-41244 is 7.8, classified as high.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat. Nearly 50,000 Cisco ASA and FTD appliances are vulnerable to actively exploited flaws. The vulnerabilities CVE-2025-20333 and CVE-2025-20362 enable arbitrary code execution and access to restricted URL endpoints. The Shadowserver Foundation discovered over 48,800 internet-exposed ASA and FTD instances still vulnerable to the flaws. The majority of vulnerable devices are located in the United States, followed by the United Kingdom, Japan, Germany, Russia, Canada, and Denmark. The Shadowserver Foundation's data is as of September 29, indicating a lack of response to the ongoing exploitation activity. Greynoise had warned on September 4 about suspicious scans targeting Cisco ASA devices, indicating upcoming undocumented flaws. CISA's emergency directive gave 24 hours to FCEB agencies to identify and upgrade vulnerable Cisco ASA and FTD instances. CISA advised that ASA devices reaching their end of support should be disconnected from federal networks by the end of September. The U.K. NCSC reported that the hackers deployed Line Viper shellcode loader malware and RayInitiator GRUB bootkit.

Open in new tab

VMScape attack breaks guest-host isolation on AMD, Intel CPUs

A new speculative execution attack named VMScape allows malicious virtual machines (VMs) to leak cryptographic keys from an unmodified QEMU hypervisor process running on modern AMD or Intel CPUs. The attack bypasses existing Spectre mitigations and threatens to leak sensitive data by leveraging speculative execution. It affects all AMD Zen 1 to Zen 5 processors and Intel’s Coffee Lake CPUs, but not Raptor Cove or Gracemont. The attack does not require compromising the host and works on unmodified virtualization software with default mitigations enabled on the hardware. The VMScape attack targets QEMU, the user-mode hypervisor component, by influencing indirect branch prediction in a host user process due to shared Branch Prediction Unit (BPU) structures. The attack uses a Spectre-BTI (Branch Target Injection) technique to misguide a target indirect branch in QEMU, enabling the leakage of secret data. The ETH Zurich research team reported the findings to AMD and Intel, who have released patches and security bulletins. Linux kernel developers have also released patches to mitigate the issue.

Open in new tab

Erlang/OTP SSH RCE Exploits Targeting OT Firewalls

A surge in exploitation of CVE-2025-32433, a critical security flaw in Erlang/OTP SSH, has been observed since May 2025. Approximately 70% of these exploits target operational technology (OT) firewalls. This vulnerability, patched in April 2025, allows attackers to execute arbitrary code on vulnerable systems without authentication. The attacks have primarily affected healthcare, agriculture, media, entertainment, and high technology sectors in the U.S., Canada, Brazil, India, Australia, Japan, the Netherlands, Ireland, and France. The exploitation involves using reverse shells to gain unauthorized remote access to target networks. The specific threat actors behind these efforts remain unidentified. The flaw is due to improper state enforcement in the Erlang/OTP SSH daemon, allowing unauthenticated clients to execute commands by sending SSH connection protocol messages to open SSH ports. The flaw has been exploited to create TCP connections and bind them to a shell, allowing interactive command execution over the network. The flaw could have severe consequences on an organization, their network, and operations, including the compromise of sensitive information and disruption of operations.

Open in new tab