Broadcom has issued a security advisory addressing four newly discovered vulnerabilities in several VMware products, including ESXi, vCenter Server, Workstation Pro, and Fusion. The flaws—tracked as CVE-2025-41225, CVE-2025-41226, CVE-2025-41227, and CVE-2025-41228—range from command execution to denial-of-service and reflected XSS, posing a wide array of risks across virtualized infrastructure.
Authenticated Command Execution in vCenter Server (CVE-2025-41225)
Rated with a CVSSv3 base score of 8.8 (Important), this vulnerability allows a privileged attacker to execute arbitrary commands on vCenter Server:
“A malicious actor with privileges to create or modify alarms and run script action may exploit this issue to run arbitrary commands on the vCenter Server,” the advisory explains.
Patching is available for vCenter versions 7.0 and 8.0.
Guest Operations Denial-of-Service (CVE-2025-41226)
This moderate severity vulnerability (CVSS 6.8) resides in ESXi. “A malicious actor with guest operation privileges on a VM… may trigger this issue to create a denial-of-service condition of guest VMs with VMware Tools running and guest operations enabled.”
Host Memory Exhaustion Leading to DoS (CVE-2025-41227)
Affecting ESXi, Workstation, and Fusion, this bug can be triggered by a low-privilege user from inside a guest OS. “A malicious actor with non-administrative privileges within a guest operating system may be able to exploit this issue by exhausting memory of the host process…”
With a CVSS score of 5.5, it still warrants patching due to the potential to destabilize virtualization hosts.
Reflected Cross-Site Scripting (XSS) in vCenter/ESXi (CVE-2025-41228)
Rated at CVSS 4.3, this web-based vulnerability arises from improper input validation. “A malicious actor with network access to the login page of certain ESXi host or vCenter Server URL paths may exploit this issue to steal cookies or redirect to malicious websites.”
Affected Products
Products impacted include:
- VMware ESXi 7.0 and 8.0
- VMware vCenter Server 7.0 and 8.0
- VMware Cloud Foundation
- VMware Workstation 17.x
- VMware Fusion 13.x
- VMware Telco Cloud Platform and Infrastructure
Patch Availability
Fixes have been released in:
Links to detailed patch notes and update instructions are provided on Broadcom’s official techdocs portal.
