VMware NSX CVE-2025-41251: Brief Summary of Username Enumeration via Weak Password Recovery

A brief summary of CVE-2025-41251 affecting VMware NSX, where a weak password recovery mechanism enables remote, unauthenticated username enumeration. Includes affected versions, exploitation details, and patch information.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-29

VMware NSX CVE-2025-41251: Brief Summary of Username Enumeration via Weak Password Recovery
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can remotely enumerate valid usernames on unpatched VMware NSX systems, setting the stage for targeted credential brute force campaigns. This vulnerability, tracked as CVE-2025-41251 and reported by the National Security Agency, impacts a wide range of NSX and VMware Cloud Foundation deployments, with no available workarounds and a CVSSv3 score of 8.1.

About VMware NSX: VMware, now under Broadcom, is a global leader in virtualization and network security solutions. NSX is its flagship network virtualization platform, widely used in enterprise and cloud environments for microsegmentation and network policy enforcement. Security flaws in NSX can have broad impact due to its integration in critical infrastructure and cloud stacks.

Technical Information

CVE-2025-41251 is rooted in a weak password recovery mechanism within VMware NSX. The vulnerability allows remote, unauthenticated attackers to determine whether a username exists by submitting password recovery requests and analyzing the system's response. This is classified as CWE-640 (Weak Password Recovery Mechanism for Forgotten Password).

The attack is possible because the password recovery endpoint responds differently depending on whether the provided username is valid. These differences may include distinct error messages, HTTP status codes, or subtle timing variations. Attackers can automate requests with lists of potential usernames and observe which ones elicit a response indicating a valid account. This enables the creation of a comprehensive list of valid usernames for the target NSX deployment.

Once a list of valid usernames is obtained, attackers can attempt credential brute force or password spraying attacks with much greater efficiency. The vulnerability is accessible over the network and does not require any authentication, making it particularly dangerous for internet-exposed NSX management interfaces.

Affected Systems and Versions

The following products and versions are affected:

  • VMware NSX 9.x.x.x
  • VMware NSX 4.2.x
  • VMware NSX 4.1.x
  • VMware NSX 4.0.x
  • NSX-T 3.x
  • VMware Cloud Foundation (with NSX) 5.x
  • VMware Cloud Foundation (with NSX) 4.5.x

Fixed versions:

  • NSX 9.0.1.0
  • NSX 4.2.2.2 or 4.2.3.1
  • NSX 4.1.2.7
  • NSX-T 3.2.4.3
  • VMware Cloud Foundation: Apply the CCF async patch (KB88287)

There are no effective workarounds. All configurations using the above vulnerable versions are at risk.

Vendor Security History

VMware has a history of critical vulnerabilities in its infrastructure products, including NSX and ESXi. Previous issues have included authentication bypasses, remote code execution, and input validation flaws. The vendor typically issues coordinated advisories and patches, but the frequency of high-severity vulnerabilities has led to increased scrutiny from the security community. The acquisition by Broadcom has also introduced changes in support and vulnerability management processes.

References

Detect & fix
what others miss