CVE-2025-41228

Summary

VMware ESXi and vCenter Server contain a reflected cross-site scripting vulnerability due to improper input validation. A malicious actor with network access to the login page of certain ESXi host or vCenter Server URL paths may exploit this issue to steal cookies or redirect to malicious websites.

Affected Software

VendorProductVersion RangeStatus
VMwarevCenter Server8.0 < 8.0 U3eaffected
VMwareCloud Foundation5.x, 4.5.xaffected
VMwareTelco Cloud Platform5.x, 4.x, 3.x, 2.xaffected
VMwareTelco Cloud Infrastructure3.x,2.xaffected
VMwareESXi8.0 < ESXi80U3se-24659227affected
VMwareESXi7.0 < ESXi70U3sv-24723868affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References