Introduction
Attackers can remotely enumerate valid usernames in VMware NSX environments without authentication, exposing organizations to targeted credential attacks and reconnaissance. This vulnerability, tracked as CVE-2025-41252, impacts a wide range of NSX and VMware Cloud Foundation deployments and was reported by the National Security Agency in September 2025.
VMware NSX is a leading network virtualization and security platform, widely used in enterprise and cloud data centers for micro-segmentation and network automation. Its critical role in modern infrastructure means vulnerabilities can have broad operational and security impact across industries.
Technical Information
CVE-2025-41252 is a username enumeration vulnerability classified under CWE-203 (Observable Discrepancy). The flaw exists in the authentication logic of VMware NSX management interfaces. When an unauthenticated actor submits a username to the login endpoint, the system's response varies depending on whether the username exists. These discrepancies can be in the form of error messages, HTTP status codes, or subtle timing differences.
An attacker can automate requests with lists of potential usernames and analyze the responses to reliably determine which usernames are valid. This enables the attacker to build a list of legitimate accounts, which can then be targeted in credential stuffing, brute force, or phishing campaigns. The vulnerability affects both web and API-based authentication endpoints in NSX and related products.
No public code snippets or proof of concept have been released for this vulnerability. The root cause is improper neutralization of differences in authentication error handling, allowing information about account existence to leak to unauthenticated users.
Affected Systems and Versions
The following products and versions are confirmed vulnerable:
- VMware NSX 9.x.x.x
- VMware NSX 4.2.x
- VMware NSX 4.1.x
- VMware NSX 4.0.x
- NSX-T 3.x
- VMware Cloud Foundation (with NSX) 5.x
- VMware Cloud Foundation (with NSX) 4.5.x
All configurations with exposed NSX management interfaces are affected.
Vendor Security History
VMware has experienced multiple high-impact vulnerabilities in NSX and ESXi products in 2024 and 2025. Notably, several NSX vulnerabilities were disclosed in 2025, and earlier in the year, three zero-day flaws in ESXi, Workstation, and Fusion were actively exploited. VMware generally provides timely advisories and patches, but the recurrence of critical issues in core products highlights ongoing security challenges in the virtualization space.