Reflected Cross-Site Scripting Vulnerability in VMware ESXi and vCenter Server
CVE-2025-41228

4.3MEDIUM

Key Information:

Vendor: VMware
Status: Vmware Vcenter Server; Vmware Cloud Foundation; Vmware Telco Cloud Platform; Vmware Telco Cloud Infrastructure
Vendor: CVE Published:; 20 May 2025

What is CVE-2025-41228?

VMware ESXi and vCenter Server are impacted by a reflected cross-site scripting vulnerability caused by improper input validation. Attackers with network access to the login page of specific ESXi hosts or vCenter Server URL paths can exploit this flaw. By doing so, they may steal cookies or redirect users to harmful websites, jeopardizing the security of sensitive information.

Affected Version(s)

VMware Cloud Foundation 5.x, 4.5.x

VMware ESXi 8.0

VMware ESXi 7.0

References

https://support.broadcom.com/web/ecx/support-content-noti...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2025
Vulnerability Reserved
Apr 16, 2025