Introduction
Manipulating trusted infrastructure notifications can open the door to phishing, information disclosure, and lateral movement inside enterprise environments. VMware vCenter, a core management platform for virtualized data centers, is affected by a high-severity SMTP header injection vulnerability tracked as CVE-2025-41250. This issue allows authenticated users with scheduled task creation permissions to tamper with notification emails sent by vCenter, potentially enabling a range of attacks.
About VMware vCenter: VMware is a global leader in virtualization and cloud infrastructure, with vCenter Server serving as the central management solution for VMware environments. vCenter is widely deployed in enterprise data centers and underpins the management of virtual machines, storage, and network resources across thousands of organizations.
Technical Information
CVE-2025-41250 is an SMTP header injection vulnerability in VMware vCenter. The flaw is present in the email notification system for scheduled tasks. When a user with the necessary permissions creates or modifies a scheduled task, vCenter generates notification emails. The vulnerability exists because user-controlled input is incorporated into email headers without sufficient sanitization.
Attackers can exploit this by injecting carriage return and line feed (CRLF) sequences into relevant input fields. For example, if the task name or description field is not sanitized, an attacker could submit input like:
TaskName\r\nBCC: [email protected]\r\nSubject: Malicious Subject
This input would cause the email system to treat the injected content as new headers, allowing the attacker to add BCC recipients, alter the subject, or otherwise manipulate the email. The root cause is improper neutralization of special elements used in the construction of email headers, which aligns with CWE-77 (command injection). No public code snippets or proof of concept have been released for this vulnerability.
Affected Systems and Versions
- Product: VMware vCenter Server
- Vulnerable configurations: Systems where non-administrative users have permission to create scheduled tasks
- Specific affected versions: Not provided in the available briefing materials
Vendor Security History
VMware, now a Broadcom company, has a history of critical vulnerabilities in its virtualization management products. Previous issues include command execution (such as CVE-2025-41225) and authentication bypass flaws. The vendor typically issues timely patches and detailed advisories, but the frequency and impact of vulnerabilities in vCenter and related products remain a concern for security teams.