CVE-2025-41251
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-29

Last updated on: 2025-09-29

Assigner: VMware

Description
VMware NSX contains a weak password recovery mechanism vulnerability. An unauthenticated malicious actor may exploit this to enumerate valid usernames, potentially enabling brute-force attacks. Impact:Β Username enumeration β†’ credential brute force risk. Attack Vector:Β Remote, unauthenticated. Severity:Β Important. CVSSv3:Β 8.1 (High). Acknowledgments:Β Reported by the National Security Agency. Affected Products:VMware NSX 9.x.x.x, 4.2.x, 4.1.x, 4.0.x NSX-T 3.x VMware Cloud Foundation (with NSX) 5.x, 4.5.x Fixed Versions: NSX 9.0.1.0; 4.2.2.2/4.2.3.1 http://4.2.2.2/4.2.3.1 ; 4.1.2.7; NSX-T 3.2.4.3; CCF async patch (KB88287). Workarounds: None.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-29
Last Modified
2025-09-29
Generated
2026-06-16
AI Q&A
2025-09-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-41251
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
vmware nsx 4.1
vmware nsx 4.2
vmware cloud_foundation 5.x
vmware nsx 9.x
vmware cloud_foundation 4.5
vmware nsx 4.0
vmware nsx-t 3.x
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in VMware NSX involves a weak password recovery mechanism that allows an unauthenticated attacker to enumerate valid usernames. By identifying valid usernames, the attacker can then attempt brute-force attacks to guess passwords and gain unauthorized access.

Impact Analysis

The vulnerability can lead to username enumeration, which increases the risk of credential brute-force attacks. This can result in unauthorized access to systems, potentially compromising confidentiality, integrity, and availability of data and services.

Mitigation Strategies

Apply the fixed versions of the affected VMware NSX products as soon as possible. The fixed versions include NSX 9.0.1.0; 4.2.2.2/4.2.3.1; 4.1.2.7; NSX-T 3.2.4.3; and the CCF async patch (KB88287). There are no workarounds available, so patching is the primary mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-41251. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart