CVE-2025-41252

Medienbericht

EPSS 0.06%
Veröffentlicht 29.09.2025 19:15:35
Zuletzt bearbeitet 29.09.2025 19:34:10
Quelle security@vmware.com
Teams Watchlist Login
Unerledigt Login

Description: VMware NSX contains a username enumeration vulnerability. An unauthenticated malicious actor may exploit this to enumerate valid usernames, potentially leading to unauthorized access attempts.


Impact: Username enumeration → facilitates unauthorized access.


Attack Vector: Remote, unauthenticated.


Severity: Important.


CVSSv3: 7.5 (High).


Acknowledgments: Reported by the National Security Agency.


Affected Products:



  *  VMware NSX 9.x.x.x, 4.2.x, 4.1.x, 4.0.x

  *  NSX-T 3.x

  *  VMware Cloud Foundation (with NSX) 5.x, 4.5.x












Fixed Versions: 



  *  NSX 9.0.1.0;  4.2.2.2/4.2.3.1 http://4.2.2.2/4.2.3.1 ; 4.1.2.7; NSX-T 3.2.4.3; CCF async patch (KB88287).






Workarounds: None.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerVMware

≫

Produkt NSX

Default Statusunaffected

Version VMware NSX 9.x.x.x, 4.2.x, 4.1.x, 4.0.x

Status affected

Version VMware NSX-T 3.x

Status affected

Version VMware Cloud Foundation (with NSX) 5.x, 4.5.x

Status affected

Version VMware NSX 9.0.1.0; 4.2.2.2/4.2.3.1; 4.1.2.7; NSX-T 3.2.4.3; CCF async patch (KB88287)

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.179

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@vmware.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://www.heise.de/news/Verschiedene-Attacken-auf-VMware-vCenter-NSX-Co-moeglich-10688819.html

Medienbericht

heise Security

https://https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36150

https://nvd.nist.gov/vuln/detail/CVE-2025-41252

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-41252

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-41252

EUVD