CVE-2025-41228

VMware ESXi and vCenter Server Reflected Cross Site Scripting (XSS) Vulnerability

CVSS 4.3 MEDIUMEPSS 0.7%CWE-79

VMware ESXi and vCenter Server contain a reflected cross-site scripting vulnerability due to improper input validation. A malicious actor with network access to the login page of certain ESXi host or vCenter Server URL paths may exploit this issue to steal cookies or redirect to malicious websites.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Affected products

VMware · Cloud Foundation VMware · ESXi VMware · Telco Cloud Infrastructure VMware · Telco Cloud Platform VMware · vCenter Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25717