Broadcom on Monday introduced patches for six vulnerabilities affecting VMware Aria Operations, NSX, vCenter, and VMware Instruments merchandise, together with 4 high-severity flaws.
Each Aria Operations and VMware Instruments are impacted by a high-severity native privilege escalation bug tracked as CVE-2025-41244.
“A malicious native actor with non-administrative privileges accessing a VM with VMware Instruments put in and managed by Aria Operations with SDMP enabled might exploit this vulnerability to escalate privileges to root on the identical VM,” the seller explains.
Patches have additionally been rolled out for a medium-severity situation in VMware Aria Operations that might enable attackers to reveal the credentials of different customers (CVE-2025-41245), and a high-severity defect in Instruments for Home windows that might enable attackers to entry different visitor VMs (CVE-2025-41246).
Fixes for these vulnerabilities have been included in Aria Operations model 8.18.5, Cloud Basis and vSphere Basis variations 9.0.1.0 and 13.0.5.0, VMware Instruments variations 13.0.5 and 12.5.4, and Telco Cloud Infrastructure variations 8.18.5 and eight.18.5.
VMware resolved a high-severity SMTP header injection bug (CVE-2025-41250) in vCenter that might enable an authenticated attacker with non-administrative privileges to “manipulate the notification emails despatched for scheduled duties”.
Moreover, it patched two high-severity flaws in NSX that might enable attackers to enumerate legitimate usernames.
The primary, CVE-2025-41251, is described as a weak password restoration mechanism situation that might result in brute-force assaults, whereas the second, CVE-2025-41252, is described as a username enumeration defect that might result in unauthorized entry makes an attempt.
Cloud Basis and vSphere Basis model 9.0.1.0, vCenter variations 8.0 U3g and seven.0 U3w, Cloud Basis variations 5.2.2 and seven.0 U3w (async patch), NSX variations 4.2.2.2, 4.2.3.1, and 4.1.2.7, and NSX-T model 3.2.4.3 comprise fixes for these flaws. VMware additionally printed patch directions for Cloud Basis and Telco Cloud Infrastructure.
VMware makes no point out of any of those vulnerabilities being exploited within the wild. Nonetheless, customers are suggested to replace their deployments as quickly as doable.
