Introduction
Attackers can remotely enumerate valid usernames on unpatched VMware NSX systems, setting the stage for targeted credential brute force campaigns. This vulnerability, tracked as CVE-2025-41251 and reported by the National Security Agency, impacts a wide range of NSX and VMware Cloud Foundation deployments, with no available workarounds and a CVSSv3 score of 8.1.
About VMware NSX: VMware, now under Broadcom, is a global leader in virtualization and network security solutions. NSX is its flagship network virtualization platform, widely used in enterprise and cloud environments for microsegmentation and network policy enforcement. Security flaws in NSX can have broad impact due to its integration in critical infrastructure and cloud stacks.
Technical Information
CVE-2025-41251 is rooted in a weak password recovery mechanism within VMware NSX. The vulnerability allows remote, unauthenticated attackers to determine whether a username exists by submitting password recovery requests and analyzing the system's response. This is classified as CWE-640 (Weak Password Recovery Mechanism for Forgotten Password).
The attack is possible because the password recovery endpoint responds differently depending on whether the provided username is valid. These differences may include distinct error messages, HTTP status codes, or subtle timing variations. Attackers can automate requests with lists of potential usernames and observe which ones elicit a response indicating a valid account. This enables the creation of a comprehensive list of valid usernames for the target NSX deployment.
Once a list of valid usernames is obtained, attackers can attempt credential brute force or password spraying attacks with much greater efficiency. The vulnerability is accessible over the network and does not require any authentication, making it particularly dangerous for internet-exposed NSX management interfaces.
Affected Systems and Versions
The following products and versions are affected:
- VMware NSX 9.x.x.x
- VMware NSX 4.2.x
- VMware NSX 4.1.x
- VMware NSX 4.0.x
- NSX-T 3.x
- VMware Cloud Foundation (with NSX) 5.x
- VMware Cloud Foundation (with NSX) 4.5.x
Fixed versions:
- NSX 9.0.1.0
- NSX 4.2.2.2 or 4.2.3.1
- NSX 4.1.2.7
- NSX-T 3.2.4.3
- VMware Cloud Foundation: Apply the CCF async patch (KB88287)
There are no effective workarounds. All configurations using the above vulnerable versions are at risk.
Vendor Security History
VMware has a history of critical vulnerabilities in its infrastructure products, including NSX and ESXi. Previous issues have included authentication bypasses, remote code execution, and input validation flaws. The vendor typically issues coordinated advisories and patches, but the frequency of high-severity vulnerabilities has led to increased scrutiny from the security community. The acquisition by Broadcom has also introduced changes in support and vulnerability management processes.