Broadcom-owned VMware has released urgent security patches addressing seven newly discovered vulnerabilities affecting multiple core products, including VMware Cloud Foundation, vCenter Server, ESXi, Workstation, and Fusion. These flaws could allow attackers to execute arbitrary commands, leak sensitive data, and even cause denial-of-service (DoS) conditions—with no available workarounds for affected users.
The company detailed the issues across two separate security advisories: VMSA-2025-0009 and VMSA-2025-0010. Users are strongly advised to upgrade immediately, as there are no mitigations or temporary fixes currently available.
Cloud Foundation Under Threat: Network-Based Directory Traversal and More
The more severe of the two advisories, VMSA-2025-0009, includes three vulnerabilities in VMware Cloud Foundation, VMware’s flagship private cloud infrastructure product. These issues were reported by the NATO Cyber Security Centre and include:
- CVE-2025-41229 (CVSS 8.2) – A directory traversal vulnerability that allows an attacker with network access to port 443 to access internal services, potentially leaking sensitive data.
- CVE-2025-41230 (CVSS 7.5) – An information disclosure bug that may expose internal configuration or data.
- CVE-2025-41231 (CVSS 7.3) – A missing authorization flaw that can let unauthorized actors access restricted resources.
All three flaws affect VMware Cloud Foundation, with version 5.2.1.2 released as the recommended upgrade path for protection.
vCenter and ESXi Also Affected: Authenticated Code Execution Tops Risk List
The second advisory, VMSA-2025-0010, outlines four vulnerabilities across vCenter Server, ESXi, Workstation, and Fusion:
- CVE-2025-41225 (CVSS 8.8) – An authenticated command execution vulnerability in vCenter Server. Exploiting it requires the ability to create or modify alarms, enabling attackers to run arbitrary commands on the management plane.
- Two DoS vulnerabilities (CVSS 6.8 and 5.5) – Affecting ESXi, Workstation, and Fusion, these can crash or destabilize services.
- One reflected XSS flaw (CVSS 4.3) – Found in both vCenter and ESXi, which could be used for phishing or interface manipulation.
VMware has not reported any active exploitation of these flaws in the wild, but the lack of mitigations means affected environments are at serious risk until patches are applied.
Unlike some previous VMware advisories that offered temporary mitigations, these vulnerabilities come with no such options. VMware’s security teams urge all customers—especially enterprise and government users running mission-critical systems—to patch without delay.
