CVE-2025-41225

Summary

The vCenter Server contains an authenticated command-execution vulnerability. A malicious actor with privileges to create or modify alarms and run script action may exploit this issue to run arbitrary commands on the vCenter Server.

Affected Software

VendorProductVersion RangeStatus
VMwarevCenter Server8.0 < 8.0 U3eaffected
VMwarevCenter Server7.0 < 7.0 U3vaffected
VMwareCloud Foundation5.x, 4.5.xaffected
VMwareTelco Cloud Platform5.x, 4.x, 3.x, 2.xaffected
VMwareTelco Cloud Infrastructure3.x, 2.xaffected

Weaknesses

  • CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References