Reflected Cross-Site Scripting Vulnerability in VMware ESXi and vCenter Server
CVE-2025-41228

4.3MEDIUM

Key Information:

Vendor: Vmware
Status: Vcenter Server; Cloud Foundation; Telco Cloud Platform; Telco Cloud Infrastructure
Vendor: CVE Published:; 20 May 2025

What is CVE-2025-41228?

VMware ESXi and vCenter Server are impacted by a reflected cross-site scripting vulnerability caused by improper input validation. Attackers with network access to the login page of specific ESXi hosts or vCenter Server URL paths can exploit this flaw. By doing so, they may steal cookies or redirect users to harmful websites, jeopardizing the security of sensitive information.

Affected Version(s)

Cloud Foundation 5.x, 4.5.x

ESXi 8.0

ESXi 7.0

References

https://support.broadcom.com/web/ecx/support-content-noti...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2025
Vulnerability Reserved
Apr 16, 2025

Vmware

What is CVE-2025-41228?

Affected Version(s)

References

CVSS V3.1

Timeline