CVE-2025-41251

Name of the Vulnerable Software and Affected Versions VMware NSX versions 4.0.x through 4.2.x VMware NSX versions 4.1.x VMware NSX-T versions 3.x VMware Cloud Foundation (with NSX) versions 4.5.x and 5.x VMware NSX version 9.x.x.x

Description The software contains a weak password recovery mechanism. An unauthenticated attacker can exploit this to enumerate valid usernames, which could lead to credential brute-force attacks. The attack vector is remote and does not require authentication. This issue was reported by the National Security Agency.

Recommendations Update VMware NSX to version 9.0.1.0. Update VMware NSX to version 4.2.2.2 or 4.2.3.1. Update VMware NSX to version 4.1.2.7. Update VMware NSX-T to version 3.2.4.3. Apply the CCF async patch (KB88287) for VMware Cloud Foundation.