CVE-2025-41251
📋 TL;DR
This vulnerability in VMware NSX allows unauthenticated attackers to enumerate valid usernames through a weak password recovery mechanism. This enables credential brute-force attacks against identified accounts. Affected organizations include those running vulnerable versions of VMware NSX, NSX-T, and VMware Cloud Foundation with NSX.
💻 Affected Systems
- VMware NSX
- VMware NSX-T
- VMware Cloud Foundation (with NSX)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to NSX management interfaces, potentially compromising entire virtual infrastructure, exfiltrating sensitive data, or deploying ransomware.
Likely Case
Attackers identify valid administrative accounts and successfully brute-force credentials, gaining unauthorized access to NSX management with varying privilege levels.
If Mitigated
Username enumeration is prevented, but attackers may still attempt brute-force attacks against known accounts if other authentication weaknesses exist.
🎯 Exploit Status
Username enumeration vulnerabilities are typically easy to exploit with simple HTTP requests; credential brute-forcing requires additional tools but is well-understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: NSX 9.0.1.0; NSX 4.2.2.2/4.2.3.1; NSX 4.1.2.7; NSX-T 3.2.4.3; VMware Cloud Foundation async patch (KB88287)
Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36150
Restart Required: Yes
Instructions:
1. Review VMware advisory KB88287. 2. Identify affected NSX/NSX-T/Cloud Foundation deployments. 3. Apply appropriate patch version for your deployment. 4. Restart NSX services as required. 5. Verify patch application and functionality.
🧯 If You Can't Patch
- Implement network access controls to restrict NSX management interfaces to trusted administrative networks only.
- Enable multi-factor authentication for all NSX administrative accounts and implement account lockout policies for failed login attempts.
🔍 How to Verify
Check if Vulnerable:
Check NSX/NSX-T version via NSX Manager UI (Administration → System → Updates) or CLI command 'get version'.Check Version:
From NSX CLI: get versionVerify Fix Applied:
Verify installed version matches patched versions listed in advisory and test password recovery functionality no longer reveals username validity.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of password recovery requests from single IPs
- Multiple failed login attempts following password recovery requests
- Authentication logs showing login attempts for enumerated usernames
Network Indicators:
- High volume of HTTP POST requests to password recovery endpoints
- Traffic patterns showing username enumeration attempts (systematic variations in requests)
SIEM Query:
source="nsx_logs" AND (url_path="/api/password-recovery" OR message="password recovery") AND count by src_ip > threshold