{"id":5131,"date":"2025-10-01T00:29:50","date_gmt":"2025-10-01T00:29:50","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5131"},"modified":"2025-10-01T00:29:50","modified_gmt":"2025-10-01T00:29:50","slug":"threat-actors-could-retrieve-valid-usernames-from-vmware-by-exploiting-vulnerabilities","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5131","title":{"rendered":"Threat actors could retrieve valid usernames from VMware by exploiting vulnerabilities"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Three new vulnerabilities have been found in critical VMware products, including two that could be used to recover usernames.<\/p>\n<p>The trio of holes, two of which were found by the US National Security Agency (NSA), <a href=\"https:\/\/support.broadcom.com\/web\/ecx\/support-content-notification\/-\/external\/content\/SecurityAdvisories\/0\/36150\" target=\"_blank\" rel=\"noopener\">were divulged Monday<\/a> and tagged \u201cImportant\u201d in terms of severity.<\/p>\n<p>Patches are available to plug all three.<\/p>\n<p>\u201cOrganizations that delay patching face increased incident risk,\u201d said <a href=\"https:\/\/cypfer.com\/team-member\/ed-dubrovsky\/\" target=\"_blank\" rel=\"noopener\">Ed Dubrovsky,<\/a> chief operating officer of incident response firm Cypfer. \u201cAn attacker could slip into internal systems under the radar, pivot to sensitive assets, or use the reconnaissance data to mount more damaging follow\u2011on attacks. There is no good reason for organizations to allow the adversary\u2019s reconnaissance toolkit to grow, or to lower the barrier for lateral movement or phishing escalation, so patch as soon as possible.\u201d<\/p>\n<p>The vulnerabilities are<\/p>\n<p><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-41250\" target=\"_blank\" rel=\"noopener\">CVE-2025-41250<\/a>, an SMTP header injection vulnerability in vCentre, the centralized management platform for VMware\u2019s virtualization software. A malicious actor with non-administrative privileges on\u00a0vCenter who has permission to create\u00a0scheduled tasks\u00a0may be able to manipulate the notification emails sent for scheduled tasks, says the advisory.<br \/>\u201cGiven that it does require authentication, the exploit possibilities are likely limited,\u201d commented <a href=\"https:\/\/www.sans.org\/profiles\/dr-johannes-ullrich\" target=\"_blank\" rel=\"noopener\">Johannes Ullrich<\/a>, dean of research at the SANS Institute;<\/p>\n<p><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-41251\" target=\"_blank\" rel=\"noopener\">CVE-2025-41251<\/a>, a weak password recovery mechanism vulnerability in NSX, the company\u2019s virtualization solution for networks. An unauthenticated malicious actor could exploit this vulnerability to enumerate valid usernames, says the advisory, potentially leading to brute-force attacks;<\/p>\n<p><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-41252\" target=\"_blank\" rel=\"noopener\">CVE-2025-41252<\/a>, a username enumeration vulnerability, also in NSX. An unauthenticated malicious actor may exploit this vulnerability to enumerate valid usernames, says the advisory, potentially leading to unauthorized access attempts.<\/p>\n<p>The NSA said it couldn\u2019t comment by <em>CSO<\/em>\u2019s deadline.<\/p>\n<p>\u201cAs far as vulnerabilities go, the ability to enumerate users is minor and common in password reset forms,\u201d said Ullrich. \u201cMany password reset features will let the user know if an account they are trying to reset the password for does not exist. This can be used to identify accounts that exist.\u201d<\/p>\n<p>Although the bug needs to be patched, he doesn\u2019t view it as a high priority. \u201cThe user enumeration could be leveraged for more efficient brute forcing, but brute forcing may happen without it. CISOs should look into how brute forcing is mitigated, for example, via a web application firewall or configuration options in vCenter.\u201d<\/p>\n<p>vCenter shouldn\u2019t be exposed to the internet, he added. Instead, access should be through a VPN.<\/p>\n<p>Impacted products in addition to NSX and vCentre are VMware Cloud Foundation, an integrated software-defined data center (SDDC) platform;\u00a0VMware Telco Cloud Platform and VMware Telco Cloud Infrastructure.<\/p>\n<p>These vulnerabilities highlight the increasing risk associated with virtualized environments, and their growing complexity, said Cypfer\u2019s Dubrovsky. \u201cWhile there is no evidence that these vulnerabilities themselves offer any type of remote code execution, they do offer a possible avenue for tampering with some email flows and for probing systems for additional information such as a list of valid accounts.\u201d<\/p>\n<p>This is risky, he said, because threat actors in many attack scenarios need to gain access to valid credentials. \u201cThere is a booming market on the dark web that sells such information, allowing threat actors to gain a foothold into an environment and then expand that foothold by moving laterally and gaining opportunities to increase their access privilege levels to exfiltrate restricted and confidential information or gain complete control for system encryption or other damage,\u201d he said.<\/p>\n<p>He pointed out that many threat actors use dictionaries, which include the default credentials shipped with products, to guess passwords or usernames, and it doesn\u2019t help that many organizations forget to change them. IT leaders who mandate changing default credentials increase\u00a0the time it takes for a threat actor to guess the login ID portion of a credential pair. These bugs, on the other hand, make the attacker\u2019s job easier.<\/p>\n<p>\u201cUsing these [VMware] vulnerabilities, without any special access, threat actors are able to enumerate the active accounts on systems, which essentially gives them about 50% into guessing the credential pair (login\/password),\u201d he said. \u201cThis is a high risk condition, and administrators should patch immediately and ensure they are not using default account logins.\u201d<\/p>\n<p><a href=\"https:\/\/www.digitaldefence.ca\/company\/\" target=\"_blank\" rel=\"noopener\">Robert Beggs<\/a>, head of Canadian incident response firm DigitalDefence, said the SMTP attack vulnerability seems \u201csomewhat limited in spite of the high severity level.\u00a0 It requires malicious action on the part of a legitimate user who does not yet have admin-level access.\u201d<\/p>\n<p> He agreed with Dubrovsky that the other two vulnerabilities together give an attacker the ability to identify legitimate usernames. The knowledge of half of an access credential\u00a0would facilitate attacks such as brute force guessing of the password or password spraying\u00a0attacks. \u201cIt makes these attacks more reliable,\u201d he said, \u201cand minimizes the\u00a0 effort that might get identified by various security controls. Together, knowing even half of the credential will decrease security and make things easier for the attacker.\u201d<\/p>\n<p>He added, \u201cThis drives home the importance of multi-factor authentication for login protection. If the attacker had to use MFA as part of the attack profile, the advantage that come with knowing half of the access credentials would be largely negated.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Three new vulnerabilities have been found in critical VMware products, including two that could be used to recover usernames. The trio of holes, two of which were found by the US National Security Agency (NSA), were divulged Monday and tagged \u201cImportant\u201d in terms of severity. Patches are available to plug all three. \u201cOrganizations that delay [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5132,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5131","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5131"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5131"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5131\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5132"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5131"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5131"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}