Broadcom has released multiple security updates to address high-severity vulnerabilities in VMware products, including VMware NSX and vCenter. Two of the flaws were reported directly by the U.S. National Security Agency (NSA), underscoring potential interest from nation-states in exploiting these vulnerabilities.
NSA reported VMware NSX vulnerabilities
The NSA flagged two username enumeration vulnerabilities in VMware NSX, tracked as CVE-2025-41251 and CVE-2025-41252.
-
CVE-2025-41251 stems from a weakness in the password recovery mechanism that allows unauthenticated attackers to enumerate valid usernames.
-
CVE-2025-41252 also enables unauthenticated threat actors to confirm valid usernames, raising the risk of brute-force or credential-based attacks.
"These vulnerabilities might be combined to create a viable attack path from unauthenticated reconnaissance to authenticated compromise," explained Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit. "Initial compromise can be done via CVE-2025-41251 and CVE-2025-41252. Once authenticated, threat actors will exploit the vCenter SMTP header injection to potentially redirect sensitive communication and escalate their privileges."
The NSA last reported VMware flaws in 2020 (CVE-2020-4006), which were subsequently exploited by Russian state-sponsored actors. The agency's involvement again suggests possible nation-state interest.
Additional VMware flaws disclosed
In addition to the NSX vulnerabilities, Broadcom patched a high-severity SMTP header injection bug (CVE-2025-41250) in VMware vCenter. The flaw allows attackers with non-administrative privileges to manipulate notification emails tied to scheduled tasks.
Broadcom also disclosed three additional vulnerabilities affecting VMware Aria Operations and VMware Tools (CVE-2025-41244, CVE-2025-41245, CVE-2025-41246). These could enable privilege escalation to root, credential theft, and cross-VM access within shared environments.
Expert perspective: why these flaws matter
While the patched vulnerabilities are rated High rather than Critical, security experts caution against dismissing their potential impact.
"The two NSX bugs allow unauthenticated users to confirm which usernames exist on a system," said Jason Soroko, Senior Fellow at Sectigo. "Even without direct code execution, these kinds of flaws are attractive building blocks that adversaries combine with weak or reused credentials to pivot deeper—which helps explain why an intelligence agency would flag them."
Soroko also noted that there is currently no public confirmation of exploitation in the wild, with vendor notes and reporting focused on patch availability rather than observed attacks.
Mitigation recommendations
Security researchers recommend that organizations act swiftly to secure their environments:
-
Audit and patch all affected VMware products immediately.
-
Implement email security controls to detect and block manipulated SMTP headers.
-
Use network segmentation to limit exposure of NSX management interfaces and monitor for username enumeration attempts.
As Dani warned, these vulnerabilities—though individually limited—could serve as stepping stones in a broader attack chain if combined. Given the NSA's involvement and VMware's wide deployment across enterprise environments, timely patching is essential.
Follow SecureWorld News for more stories related to cybersecurity.
