CVE-2025-41250

Summary

VMware vCenter contains an SMTP header injection vulnerability. A malicious actor with non-administrative privileges on vCenter who has permission to create scheduled tasks may be able to manipulate the notification emails sent for scheduled tasks.

Affected Software

VendorProductVersion RangeStatus
VMwarevCenter8.0 < 8.0 U3gaffected
VMwarevCenter7.0 < 7.0 U3waffected
VMwareCloud Foundation9.x.x.x < 9.0.1.0affected
VMwareCloud Foundation5.x < 5.2.2affected
VMwareCloud Foundation4.5.xaffected
VMwareTelco Cloud Platform5.x, 4.x, 3.x, 2.xaffected
VMwareTelco Cloud Infrastructure3.x, 2.xaffected
VMwarevSphere Foundation9.x.x.x < 9.0.1.0affected

Weaknesses

  • CWE-77: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References