Three new vulnerabilities have been found in critical VMware products, including two that could be used to recover usernames.
The trio of holes, two of which were found by the US National Security Agency (NSA), were divulged Monday and tagged “Important” in terms of severity.
Patches are available to plug all three.
“Organizations that delay patching face increased incident risk,” said Ed Dubrovsky, chief operating officer of incident response firm Cypfer. “An attacker could slip into internal systems under the radar, pivot to sensitive assets, or use the reconnaissance data to mount more damaging follow‑on attacks. There is no good reason for organizations to allow the adversary’s reconnaissance toolkit to grow, or to lower the barrier for lateral movement or phishing escalation, so patch as soon as possible.”
The vulnerabilities are
CVE-2025-41250, an SMTP header injection vulnerability in vCentre, the centralized management platform for VMware’s virtualization software. A malicious actor with non-administrative privileges on vCenter who has permission to create scheduled tasks may be able to manipulate the notification emails sent for scheduled tasks, says the advisory.
“Given that it does require authentication, the exploit possibilities are likely limited,” commented Johannes Ullrich, dean of research at the SANS Institute;
CVE-2025-41251, a weak password recovery mechanism vulnerability in NSX, the company’s virtualization solution for networks. An unauthenticated malicious actor could exploit this vulnerability to enumerate valid usernames, says the advisory, potentially leading to brute-force attacks;
CVE-2025-41252, a username enumeration vulnerability, also in NSX. An unauthenticated malicious actor may exploit this vulnerability to enumerate valid usernames, says the advisory, potentially leading to unauthorized access attempts.
The NSA said it couldn’t comment by CSO’s deadline.
“As far as vulnerabilities go, the ability to enumerate users is minor and common in password reset forms,” said Ullrich. “Many password reset features will let the user know if an account they are trying to reset the password for does not exist. This can be used to identify accounts that exist.”
Although the bug needs to be patched, he doesn’t view it as a high priority. “The user enumeration could be leveraged for more efficient brute forcing, but brute forcing may happen without it. CISOs should look into how brute forcing is mitigated, for example, via a web application firewall or configuration options in vCenter.”
vCenter shouldn’t be exposed to the internet, he added. Instead, access should be through a VPN.
Impacted products in addition to NSX and vCentre are VMware Cloud Foundation, an integrated software-defined data center (SDDC) platform; VMware Telco Cloud Platform and VMware Telco Cloud Infrastructure.
These vulnerabilities highlight the increasing risk associated with virtualized environments, and their growing complexity, said Cypfer’s Dubrovsky. “While there is no evidence that these vulnerabilities themselves offer any type of remote code execution, they do offer a possible avenue for tampering with some email flows and for probing systems for additional information such as a list of valid accounts.”
This is risky, he said, because threat actors in many attack scenarios need to gain access to valid credentials. “There is a booming market on the dark web that sells such information, allowing threat actors to gain a foothold into an environment and then expand that foothold by moving laterally and gaining opportunities to increase their access privilege levels to exfiltrate restricted and confidential information or gain complete control for system encryption or other damage,” he said.
He pointed out that many threat actors use dictionaries, which include the default credentials shipped with products, to guess passwords or usernames, and it doesn’t help that many organizations forget to change them. IT leaders who mandate changing default credentials increase the time it takes for a threat actor to guess the login ID portion of a credential pair. These bugs, on the other hand, make the attacker’s job easier.
“Using these [VMware] vulnerabilities, without any special access, threat actors are able to enumerate the active accounts on systems, which essentially gives them about 50% into guessing the credential pair (login/password),” he said. “This is a high risk condition, and administrators should patch immediately and ensure they are not using default account logins.”
Robert Beggs, head of Canadian incident response firm DigitalDefence, said the SMTP attack vulnerability seems “somewhat limited in spite of the high severity level. It requires malicious action on the part of a legitimate user who does not yet have admin-level access.”
He agreed with Dubrovsky that the other two vulnerabilities together give an attacker the ability to identify legitimate usernames. The knowledge of half of an access credential would facilitate attacks such as brute force guessing of the password or password spraying attacks. “It makes these attacks more reliable,” he said, “and minimizes the effort that might get identified by various security controls. Together, knowing even half of the credential will decrease security and make things easier for the attacker.”
He added, “This drives home the importance of multi-factor authentication for login protection. If the attacker had to use MFA as part of the attack profile, the advantage that come with knowing half of the access credentials would be largely negated.”
No Responses