NATO-Tagged Flaw Leads Latest VMware Security Fixes

Elvis Emeka Ikeji Security 20 May 2025 Hits: 203

Broadcom-owned VMware released urgent patches on Tuesday to address two sets of vulnerabilities in its core infrastructure software. These flaws could lead to data leakage,

command execution, and denial-of-service attacks, and there are no temporary workarounds available.

The virtualization company published two separate advisories covering at least seven vulnerabilities affecting VMware Cloud Foundation, VMware ESXi, vCenter Server, Workstation, and Fusion.

The first and more critical advisory, VMSA-2025-0009, attributes the discovery of three security issues in VMware Cloud Foundation to the NATO Cyber Security Centre. The most severe flaw, tracked as CVE-2025-41229, is a directory traversal vulnerability with a CVSS score of 8.2 out of 10.

VMware warned that attackers with network access to port 443 on VMware Cloud Foundation could exploit this issue to reach certain internal services.

Additional patches were released to address an information disclosure vulnerability (CVSS 7.5) and a missing authorization issue (CVSS 7.3) in VMware Cloud Foundation. This product is widely used by organizations to manage and operate private cloud environments.

Customers are strongly encouraged to upgrade to VMware Cloud Foundation version 5.2.1.2.

In a second advisory, VMSA-2025-0010, VMware detailed four more vulnerabilities affecting ESXi, vCenter Server, Workstation, and Fusion.

The most serious of these is CVE-2025-41225, an authenticated command execution vulnerability in vCenter that has a CVSS score of 8.8. VMware noted that attackers with the ability to create or modify alarms could use this flaw to execute arbitrary commands on the management plane.

The remaining vulnerabilities include two denial-of-service issues (CVSS scores 6.8 and 5.5) and a reflected cross-site scripting flaw affecting both ESXi and vCenter (CVSS score 4.3).

VMware stated that upgrading is the only solution, as there are no mitigations available. There is currently no evidence of these vulnerabilities being exploited in the wild.

Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.

WHAT ARE YOU LOOKING FOR?

Popular Tags

Senator Wyden Urges FTC to Probe Microsoft for Cybersecurity Negligence

U.S. Targets Russian and Chinese Entities in North Korean IT Scam

U.S. Busts 29 Laptop Farms Tied to North Korean IT Scam

U.S. Moves to Seize $225.3M Linked to Crypto Scams

Facebook Among Social Media Platforms Nepal Plans to Block

Japan Plans to Double Cybersecurity Workforce by 2030

Apple Moves Most U.S.-Bound iPhone Production Out of China

Indian Court Orders Block on Proton Mail Email Service

Czech Agency Warns of Chinese Espionage Threat to Infrastructure

Russia Blocks Telegram, WhatsApp Calls Over Law Violations

UK to Ban Public Sector from Paying Ransomware Gangs

UK’s Most Powerful Supercomputer Goes Live

Sovereign AI Cloud Debuts in South Africa via Touchnet–Zadara Alliance

Sui Opens Lagos Hub to Boost West Africa’s Blockchain Development

Axiz and Kaspersky Join Forces to Boost Cybersecurity in Africa

Schneider Electric Unveils First African Innovation Hub to Advance Digital Solutions

Pakistan's Government Launches Probe Into SIM Data Leak

Red Sea Cable Damage Disrupts Internet in Asia and Middleeast

Hackers Claim Breach of Saudi Industrial Services Firm

Nokia, e& UAE, and MediaTek Break 5G Speed Record in Middle East

Raleigh, NC

NATO-Tagged Flaw Leads Latest VMware Security Fixes

Follow us on

Get Our Newsletter

Tech

Arm Launches New Mobile Chip Designs Geared for AI

Microsoft Builds Independence with New Internal AI Models

Anthropic Blocks Hackers Exploiting Claude AI

PromptLock: First Ransomware Built with OpenAI’s gpt-oss:20b

Category

Popular Sections

About