VMware
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any VMware product.
RSS Feeds for VMware security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in VMware products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by VMware Sorted by Most Security Vulnerabilities since 2018
Recent VMware Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-03-23 | CVE-2026-22739 - Medium - CVE-2026-22739: Spring Cloud Config Profile Substitution Can Allow Unintended Access To Files And Enable SSRF Attacks | March 23, 2026 |
| 2026-03-19 | CVE-2026-22733 - High - CVE-2026-22733: Authentication Bypass under Actuator CloudFoundry endpoints | March 19, 2026 |
| 2026-03-19 | CVE-2026-22735 - Low - CVE-2026-22735: Server Sent Event stream corruption | March 19, 2026 |
| 2026-03-19 | CVE-2026-22732 - Critical - CVE-2026-22718: Under Some Conditions Spring Security HTTP Headers Are not Written | March 19, 2026 |
| 2026-03-19 | CVE-2026-22737 - Medium - CVE-2026-22737: Spring Framework Improper Path Limitation with Script View Templates | March 19, 2026 |
| 2026-03-19 | CVE-2026-22731 - High - CVE-2026-22731: Authentication Bypass under Actuator Health groups paths | March 19, 2026 |
| 2026-03-17 | CVE-2026-22730 - High - CVE-2026-22730: SQL Injection in Spring AI MariaDBFilterExpressionConverter | March 17, 2026 |
| 2026-03-17 | CVE-2026-22729 - High - CVE-2026-22729: JSONPath Injection in Spring AI Vector Stores FilterExpressionConverter | March 17, 2026 |
| 2026-01-13 | CVE-2026-22718 - Medium - CVE-2026-22718: Command injection on user machine using VSCode extension for Spring CLI | January 13, 2026 |
| 2025-10-16 | CVE-2025-41254 - Medium - CVE-2025-41254: Spring Framework STOMP CSRF Vulnerability | October 16, 2025 |
Known Exploited VMware Vulnerabilities
The following VMware vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| VMware ESXi and Workstation TOCTOU Race Condition Vulnerability |
VMware ESXi and Workstation contain a time-of-check time-of-use (TOCTOU) race condition vulnerability that leads to an out-of-bounds write. Successful exploitation enables an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host. CVE-2025-22224 Exploit Probability: 52.7% |
March 4, 2025 |
| VMware ESXi Arbitrary Write Vulnerability |
VMware ESXi contains an arbitrary write vulnerability. Successful exploitation allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write leading to an escape of the sandbox. CVE-2025-22225 Exploit Probability: 7.9% |
March 4, 2025 |
| VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability |
VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. Successful exploitation allows an attacker with administrative privileges to a virtual machine to leak memory from the vmx process. CVE-2025-22226 Exploit Probability: 6.8% |
March 4, 2025 |
| VMware vCenter Server Heap-Based Buffer Overflow Vulnerability |
VMware vCenter Server contains a heap-based buffer overflow vulnerability in the implementation of the DCERPC protocol. This vulnerability could allow an attacker with network access to the vCenter Server to execute remote code by sending a specially crafted packet. CVE-2024-38812 Exploit Probability: 78.8% |
November 20, 2024 |
| VMware vCenter Server Privilege Escalation Vulnerability |
VMware vCenter contains an improper check for dropped privileges vulnerability. This vulnerability could allow an attacker with network access to the vCenter Server to escalate privileges to root by sending a specially crafted packet. CVE-2024-38813 Exploit Probability: 31.2% |
November 20, 2024 |
| VMware ESXi Authentication Bypass Vulnerability |
VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD. CVE-2024-37085 Exploit Probability: 74.8% |
July 30, 2024 |
| VMware vCenter Server Incorrect Default File Permissions Vulnerability |
VMware vCenter Server contains an incorrect default file permissions vulnerability that allows a remote, privileged attacker to gain access to sensitive information. CVE-2022-22948 Exploit Probability: 28.8% |
July 17, 2024 |
| VMware vCenter Server Out-of-Bounds Write Vulnerability |
VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol that allows an attacker to conduct remote code execution. CVE-2023-34048 Exploit Probability: 93.2% |
January 22, 2024 |
| VMware Tools Authentication Bypass Vulnerability |
VMware Tools contains an authentication bypass vulnerability in the vgauth module. A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. An attacker must have root access over ESXi to exploit this vulnerability. CVE-2023-20867 Exploit Probability: 2.7% |
June 23, 2023 |
| Vmware Aria Operations for Networks Command Injection Vulnerability |
VMware Aria Operations for Networks (formerly vRealize Network Insight) contains a command injection vulnerability that allows a malicious actor with network access to perform an attack resulting in remote code execution. CVE-2023-20887 Exploit Probability: 94.3% |
June 22, 2023 |
| VMware Spring Cloud Gateway Code Injection Vulnerability |
Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. CVE-2022-22947 Exploit Probability: 94.5% |
May 16, 2022 |
| VMware Multiple Products Privilege Escalation Vulnerability |
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. CVE-2022-22960 Exploit Probability: 70.4% |
April 15, 2022 |
| VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability |
VMware Workspace ONE Access and Identity Manager allow for remote code execution due to server-side template injection. CVE-2022-22954 Exploit Probability: 94.4% |
April 14, 2022 |
| Spring Framework JDK 9+ Remote Code Execution Vulnerability |
Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. CVE-2022-22965 Exploit Probability: 94.4% |
April 4, 2022 |
| VMware SD-WAN Edge by VeloCloud Command Injection Vulnerability |
VMware SD-WAN Edge by VeloCloud contains a command injection vulnerability in the local web UI component. Successful exploitation of this issue could result in remote code execution. CVE-2018-6961 Exploit Probability: 93.6% |
March 25, 2022 |
| VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability |
VMware vCenter Server and Cloud Foundation Server contain a SSRF vulnerability due to improper validation of URLs in a vCenter Server plugin. This allows for information disclosure. CVE-2021-21973 Exploit Probability: 90.3% |
March 7, 2022 |
| VMware Server Side Request Forgery in vRealize Operations Manager API |
Server Side Request Forgery (SSRF) in vRealize Operations Manager API prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API to perform a SSRF attack to steal administrative credentials. CVE-2021-21975 Exploit Probability: 94.4% |
January 18, 2022 |
| VMware vCenter Server Improper Access Control |
Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. CVE-2021-22017 Exploit Probability: 79.5% |
January 10, 2022 |
| VMware ESXi/Horizon DaaS Appliances Heap-Overwrite Vulnerability |
OpenSLP as used in ESXi and the Horizon DaaS appliances have a heap overwrite issue. A malicious actor with network access to port 427 on an ESXi host or on any Horizon DaaS management appliance may be able to overwrite the heap of the OpenSLP service resulting in remote code execution. CVE-2019-5544 Exploit Probability: 92.7% |
November 3, 2021 |
| VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector Comm |
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability. CVE-2020-4006 Exploit Probability: 12.8% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 11 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 5 known exploited VMware vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
Top 10 Riskiest VMware Vulnerabilities
Based on the current exploit probability, these VMware vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.
| Rank | CVE | EPSS | Vulnerability |
|---|---|---|---|
| 1 | CVE-2022-22947 | 94.5% | VMware Spring Cloud Gateway Code Injection Vulnerability |
| 2 | CVE-2021-22005 | 94.5% | VMware vCenter Server File Upload |
| 3 | CVE-2022-22954 | 94.4% | VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability |
| 4 | CVE-2022-22965 | 94.4% | Spring Framework JDK 9+ Remote Code Execution Vulnerability |
| 5 | CVE-2021-21975 | 94.4% | VMware Server Side Request Forgery in vRealize Operations Manager API |
| 6 | CVE-2021-21985 | 94.4% | VMware vCenter Server Remote Code Execution Vulnerability |
| 7 | CVE-2020-3952 | 94.4% | VMware vCenter Server Info Disclosure Vulnerability |
| 8 | CVE-2023-20887 | 94.3% | Vmware Aria Operations for Networks Command Injection Vulnerability |
| 9 | CVE-2021-21972 | 93.8% | VMware vCenter Server Remote Code Execution Vulnerability |
| 10 | CVE-2018-6961 | 93.6% | VMware SD-WAN Edge by VeloCloud Command Injection Vulnerability |
By the Year
In 2026 there have been 19 vulnerabilities in VMware with an average score of 6.6 out of ten. Last year, in 2025 VMware had 39 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in VMware in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.63
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 19 | 6.56 |
| 2025 | 39 | 7.20 |
| 2024 | 52 | 7.02 |
| 2023 | 72 | 7.32 |
| 2022 | 79 | 7.21 |
| 2021 | 77 | 7.29 |
| 2020 | 61 | 7.01 |
| 2019 | 31 | 7.15 |
| 2018 | 59 | 7.33 |
It may take a day or so for new VMware vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent VMware Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-22739 | Mar 24, 2026 |
Spring Cloud PT via Profile Param (<3.1.13/4.1.9/4.2.3/4.3.2/5.0.2)Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2. |
Spring Framework
|
| CVE-2026-22737 | Mar 19, 2026 |
Spring Framework 5.3.46-7.0.5 Path Traversal via Java Script ViewsUse of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46. |
Spring Framework
|
| CVE-2026-22735 | Mar 19, 2026 |
Spring MVC/WebFlux SSE Stream Corruption for v5.3-7.0.5Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46. |
Spring Framework
|
| CVE-2026-22733 | Mar 19, 2026 |
Spring Security 4.0.3 Auth Bypass via CloudFoundry Actuator (CVE-2026-22733)Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31. |
Spring Framework
|
| CVE-2026-22732 | Mar 19, 2026 |
Spring Security HTTP Header Write Failure before 7.0.4When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3. |
Spring Framework
|
| CVE-2026-22731 | Mar 19, 2026 |
Auth Bypass in Spring Boot Actuator Health Group <=4.0.3Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different. |
Spring Framework
|
| CVE-2026-22729 | Mar 18, 2026 |
JSONPath Injection in Spring AI AbstractFilterExpressionConverterA JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic and access unauthorized documents. This vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata. The vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like ", ||, and && are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics. |
Spring Framework
|
| CVE-2026-22730 | Mar 18, 2026 |
SQLi in Spring AI's MariaDBFilterExpressionConverter Bypass Metadata ControlsA critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands. The vulnerability exists due to missing input sanitization. |
Spring Framework
|
| CVE-2026-22717 | Feb 27, 2026 |
VMware Workstation OOB Read Host Info DisclosureOut-of-bound read vulnerability in VMware Workstation 25H1 and below on any platform allows an actor with non-administrative privileges on a guest VM to obtain limited information disclosure from the machine where VMware Workstation is installed. |
Workstation
|
| CVE-2026-22716 | Feb 27, 2026 |
VMware Workstation OoB Read Leak <=25H1Out-of-bound write vulnerability in VMware Workstation 25H1 and below on any platform allows an actor with non-administrative privileges on a guest VM to terminate certain Workstation processes. |
Workstation
|
| CVE-2026-22722 | Feb 26, 2026 |
Authenticated User Null Pointer Deref in VMware Workstation on WindowsA malicious actor with authenticated user privileges on a Windows based Workstation host may be able to cause a null pointer dereference error. To Remediate CVE-2026-22722, apply the patches listed in the "Fixed version" column of the 'Response Matrix' |
Workstation
|
| CVE-2026-22715 | Feb 26, 2026 |
VMware Workstation/Fusion VM Network Packet Interception FlawVMWare Workstation and Fusion contain a logic flaw in the management of network packets. Known attack vectors: A malicious actor with administrative privileges on a Guest VM may be able to interrupt or intercept network connections of other Guest VM's. Resolution: To remediate CVE-2026-22715 please upgrade to VMware Workstation or Fusion Version 25H2U1 |
Workstation
Fusion
|
| CVE-2026-22721 | Feb 25, 2026 |
Privilege Escalation in VMware Aria Ops via vCenter AccessVMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with privileges in vCenter to access Aria Operations may leverage this vulnerability to obtain administrative access in VMware Aria Operations. To remediate CVE-2026-22721, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found in VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 . |
Aria Operations
Cloud Foundation
Telco Cloud Platform
And others... |
| CVE-2026-22720 | Feb 25, 2026 |
VMware Aria Ops XS: Privileged XSS for Admin ActionsVMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with privileges to create custom benchmarks may be able to inject script to perform administrative actions in VMware Aria Operations. To remediate CVE-2026-22720, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' of VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947https:// . |
Aria Operations
Cloud Foundation
Telco Cloud Platform
And others... |
| CVE-2026-22719 | Feb 25, 2026 |
VMware Aria Ops cmd injection leads to RCE during migrationVMware Aria Operations contains a command injection vulnerability. A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress. To remediate CVE-2026-22719, apply the patches listed in the 'Fixed Version' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001 Workarounds for CVE-2026-22719 are documented in the 'Workarounds' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001 |
Aria Operations
Cloud Foundation
Telco Cloud Platform
And others... |
| CVE-2026-2818 | Feb 20, 2026 |
Zip-Slip Path Traversal in Spring Data Geode Import Snapshot (Windows Only)A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only. |
|
| CVE-2026-2817 | Feb 19, 2026 |
Spring Data Geode Snapshot Import Uses Insecure Temp DirectoryUse of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another users extracted snapshot contents, leading to unintended exposure of cache data. |
|
| CVE-2025-25058 | Feb 10, 2026 |
ESXi Intel 800-Series Driver Info Disclosure (v<2.2.2.0 & 2.2.3.0)Improper initialization for some ESXi kernel mode driver for the Intel(R) Ethernet 800-Series before version 2.2.2.0 (esxi 8.0) & 2.2.3.0 (esxi 9.0) within Ring 1: Device Drivers may allow an information disclosure. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. |
ESXi
|
| CVE-2026-22718 | Jan 14, 2026 |
Command Injection in VSCode Spring CLI ExtensionThe VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine. |
Spring Framework
|
| CVE-2025-41254 | Oct 16, 2025 |
Spring Framework STOMP/WS Bypass (5.3.x6.2.x)STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.11 * 6.1.0 - 6.1.23 * 6.0.x - 6.0.29 * 5.3.0 - 5.3.45 * Older, unsupported versions are also affected. MitigationUsers of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary. CreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser. |
Spring Framework
|
| CVE-2025-41253 | Oct 16, 2025 |
Spring Cloud Gateway Webflux Exposes Env Vars via SpELThe following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable). * An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes. * An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte. * The actuator endpoints are available to attackers. * The actuator endpoints are unsecured. |
Spring Framework
Server
Spring Cloud Gateway
And others... |
| CVE-2025-41252 | Sep 29, 2025 |
VMware NSX Username Enumeration (pre9.0.1, 4.2.2.2/4.2.3.1, 4.1.2.7, NSXT 3.2.4.3)Description: VMware NSX contains a username enumeration vulnerability. An unauthenticated malicious actor may exploit this to enumerate valid usernames, potentially leading to unauthorized access attempts. Impact: Username enumeration facilitates unauthorized access. Attack Vector: Remote, unauthenticated. Severity: Important. CVSSv3: 7.5 (High). Acknowledgments: Reported by the National Security Agency. Affected Products: * VMware NSX 9.x.x.x, 4.2.x, 4.1.x, 4.0.x * NSX-T 3.x * VMware Cloud Foundation (with NSX) 5.x, 4.5.x Fixed Versions: * NSX 9.0.1.0; 4.2.2.2/4.2.3.1 http://4.2.2.2/4.2.3.1 ; 4.1.2.7; NSX-T 3.2.4.3; CCF async patch (KB88287). Workarounds: None. |
Nsx
|
| CVE-2025-41251 | Sep 29, 2025 |
VMware NSX 9.x Weak Pwd Recovery Username Enum. High CVSS 8.1VMware NSX contains a weak password recovery mechanism vulnerability. An unauthenticated malicious actor may exploit this to enumerate valid usernames, potentially enabling brute-force attacks. Impact: Username enumeration credential brute force risk. Attack Vector: Remote, unauthenticated. Severity: Important. CVSSv3: 8.1 (High). Acknowledgments: Reported by the National Security Agency. Affected Products:VMware NSX 9.x.x.x, 4.2.x, 4.1.x, 4.0.x NSX-T 3.x VMware Cloud Foundation (with NSX) 5.x, 4.5.x Fixed Versions: NSX 9.0.1.0; 4.2.2.2/4.2.3.1 http://4.2.2.2/4.2.3.1 ; 4.1.2.7; NSX-T 3.2.4.3; CCF async patch (KB88287). Workarounds: None. |
Nsx
|
| CVE-2025-41250 | Sep 29, 2025 |
VMware vCenter SMTP Header Injection in Scheduled Task EmailsVMware vCenter contains an SMTP header injection vulnerability. A malicious actor with non-administrative privileges on vCenter who has permission to create scheduled tasks may be able to manipulate the notification emails sent for scheduled tasks. |
Cloud Foundation
Telco Cloud Platform
Telco Cloud Infrastructure
And others... |
| CVE-2025-41245 | Sep 29, 2025 |
VMware Aria Ops Cred Disclosure via Info LeakVMware Aria Operations contains an information disclosure vulnerability. A malicious actor with non-administrative privileges in Aria Operations may exploit this vulnerability to disclose credentials of other users of Aria Operations. |
Aria Operations
Cloud Foundation
Telco Cloud Platform
And others... |
| CVE-2025-41244 | Sep 29, 2025 |
VMware Aria Ops/Tools LPE via SDMP (VMware vSphere)VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM. |
Tools
Aria Operations
Cloud Foundation
And others... |
| CVE-2025-41246 | Sep 29, 2025 |
VMware Tools for Windows Improper Auth Exploits VM-to-VM AccessVMware Tools for Windows contains an improper authorisation vulnerability due to the way it handles user access controls. A malicious actor with non-administrative privileges on a guest VM, who is already authenticated through vCenter or ESX may exploit this issue to access other guest VMs. Successful exploitation requires knowledge of credentials of the targeted VMs and vCenter or ESX. |
Tools
|
| CVE-2025-41249 | Sep 16, 2025 |
Spring Framework Generic Annotation Detection Flaw in @EnableMethodSecurityThe Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces. This CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 . |
Spring Framework
|
| CVE-2025-41248 | Sep 16, 2025 |
Spring Security JIT Auth Bypass via @PreAuthorize on Generic SupertypeThe Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces. This CVE is published in conjunction with CVE-2025-41249 https://spring.io/security/cve-2025-41249 . |
Spring Security
|
| CVE-2025-41242 | Aug 18, 2025 |
Spring MVC Path Traversal on Non-Compliant Servlet Containers (CVE-2025-41242)Spring Framework MVC applications can be vulnerable to a Path Traversal Vulnerability when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following are true: * the application is deployed as a WAR or with an embedded Servlet container * the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization * the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with Spring resource handling We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application. |
Spring Framework
|
| CVE-2025-41241 | Jul 29, 2025 |
VMware vCenter Denial-of-Service via Guest OS Customization APIVMware vCenter contains a denial-of-service vulnerability. A malicious actor who is authenticated through vCenter and has permission to perform API calls for guest OS customisation may trigger this vulnerability to create a denial-of-service condition. |
Vcenter Server
|
| CVE-2025-41234 | Jun 12, 2025 |
Spring Framework 6.x RFD via CD#filename(String, Charset)Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a Content-Disposition header with a non-ASCII charset, where the filename attribute is derived from user-supplied input. Specifically, an application is vulnerable when all the following are true: * The header is prepared with org.springframework.http.ContentDisposition. * The filename is set via ContentDisposition.Builder#filename(String, Charset). * The value for the filename is derived from user-supplied input. * The application does not sanitize the user-supplied input. * The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details). An application is not vulnerable if any of the following is true: * The application does not set a Content-Disposition response header. * The header is not prepared with org.springframework.http.ContentDisposition. * The filename is set via one of: * ContentDisposition.Builder#filename(String), or * ContentDisposition.Builder#filename(String, ASCII) * The filename is not derived from user-supplied input. * The filename is derived from user-supplied input but sanitized by the application. * The attacker cannot inject malicious content in the downloaded content of the response. Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.7 * 6.1.0 - 6.1.20 * 6.0.5 - 6.0.28 * Older, unsupported versions are not affected MitigationUsers of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary. CWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets. |
Spring Framework
|
| CVE-2025-22245 | Jun 04, 2025 |
VMware NSX Router Port Stored XSS via Improper Input ValidationVMware NSX contains a stored Cross-Site Scripting (XSS) vulnerability in the router port due to improper input validation. |
Cloud Foundation
Telco Cloud Infrastructure
Telco Cloud Platform
And others... |
| CVE-2025-22244 | Jun 04, 2025 |
VMware NSX Stored XSS in Gateway FirewallVMware NSX contains a stored Cross-Site Scripting (XSS) vulnerability in the gateway firewall due to improper input validation. |
Cloud Foundation
Telco Cloud Infrastructure
Telco Cloud Platform
And others... |
| CVE-2025-22243 | Jun 04, 2025 |
VMware NSX Manager UI XSS: Improper Input ValidationVMware NSX Manager UI is vulnerable to a stored Cross-Site Scripting (XSS) attack due to improper input validation. |
Cloud Foundation
Telco Cloud Infrastructure
Telco Cloud Platform
And others... |
| CVE-2025-41235 | May 30, 2025 |
Spring Cloud Gateway X-Forwarded-For header injection via untrusted proxiesSpring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies. |
Spring Cloud Gateway
|
| CVE-2025-41226 | May 20, 2025 |
VMware ESXi Guest Operation Denial-of-Service via VMware ToolsVMware ESXi contains a denial-of-service vulnerability that occurs when performing a guest operation. A malicious actor with guest operation privileges on a VM, who is already authenticated through vCenter Server or ESXi may trigger this issue to create a denial-of-service condition of guest VMs with VMware Tools running and guest operations enabled. |
ESXi
|
| CVE-2025-41225 | May 20, 2025 |
VMware vCenter Server Authenticated Command Execution via Alarm ScriptThe vCenter Server contains an authenticated command-execution vulnerability. A malicious actor with privileges to create or modify alarms and run script action may exploit this issue to run arbitrary commands on the vCenter Server. |
Vcenter Server
|
| CVE-2025-41230 | May 20, 2025 |
VMware Cloud Foundation CVE-2025-41230 Info Disclosure via Port 443VMware Cloud Foundation contains an information disclosure vulnerability. A malicious actor with network access to port 443 on VMware Cloud Foundation may exploit this issue to gain access to sensitive information. |
Cloud Foundation
|
| CVE-2025-41231 | May 20, 2025 |
VMware Cloud Foundation Unauth Exec & Info Leak VulnerabilityVMware Cloud Foundation contains a missing authorisation vulnerability. A malicious actor with access to VMware Cloud Foundation appliance may be able to perform certain unauthorised actions and access limited sensitive information. |
Cloud Foundation
|
| CVE-2025-22233 | May 16, 2025 |
Spring Framework <=6.2.6 – Bind Bypass via disallowedFieldsCVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks. Affected Spring Products and Versions Spring Framework: * 6.2.0 - 6.2.6 * 6.1.0 - 6.1.19 * 6.0.0 - 6.0.27 * 5.3.0 - 5.3.42 * Older, unsupported versions are also affected Mitigation Users of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix Version Availability 6.2.x 6.2.7 OSS6.1.x 6.1.20 OSS6.0.x 6.0.28 Commercial https://enterprise.spring.io/ 5.3.x 5.3.43 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary. Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation. For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields. Credit This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation. |
Spring Framework
|
| CVE-2025-22249 | May 13, 2025 |
VMware Aria Automation DOM XSS for Access Token TheftVMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL. |
Aria Automation
Telco Cloud Platform
Cloud Foundation
And others... |
| CVE-2025-21460 | May 06, 2025 |
VMware ESXi Guest VM Controlled Buffer Memory CorruptionMemory corruption while processing a message, when the buffer is controlled by a Guest VM, the value can be changed continuously. |
ESXi
|
| CVE-2025-22235 | Apr 28, 2025 |
Spring Security EndpointRequest.to() Null/** Matcher BugEndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: * You use Spring Security * EndpointRequest.to() has been used in a Spring Security chain configuration * The endpoint which EndpointRequest references is disabled or not exposed via web * Your application handles requests to /null and this path needs protection You are not affected if any of the following is true: * You don't use Spring Security * You don't use EndpointRequest.to() * The endpoint which EndpointRequest.to() refers to is enabled and is exposed * Your application does not handle requests to /null or this path does not need protection |
Spring Security
|
| CVE-2025-22231 | Apr 01, 2025 |
VMware Aria Ops LPE to root on applianceVMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with local administrative privileges can escalate their privileges to root on the appliance running VMware Aria Operations. |
Aria Operations
|
| CVE-2025-30219 | Mar 25, 2025 |
RabbitMQ <4.0.3 XSS via unescaped VHost name in UIRabbitMQ is a messaging and streaming broker. Versions prior to 4.0.3 are vulnerable to a sophisticated attack that could modify virtual host name on disk and then make it unrecoverable (with other on disk file modifications) can lead to arbitrary JavaScript code execution in the browsers of management UI users. When a virtual host on a RabbitMQ node fails to start, recent versions will display an error message (a notification) in the management UI. The error message includes virtual host name, which was not escaped prior to open source RabbitMQ 4.0.3 and Tanzu RabbitMQ 4.0.3, 3.13.8. An attack that both makes a virtual host fail to start and creates a new virtual host name with an XSS code snippet or changes the name of an existing virtual host on disk could trigger arbitrary JavaScript code execution in the management UI (the user's browser). Open source RabbitMQ `4.0.3` and Tanzu RabbitMQ `4.0.3` and `3.13.8` patch the issue. |
Rabbitmq
|
| CVE-2025-22226 | Mar 04, 2025 |
VMware ESXi/Workstation/Fusion: OOB Read in HGFS Enables VM Memory DisclosureVMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process. |
ESXi
Cloud Foundation
Fusion
And others... |
| CVE-2025-22224 | Mar 04, 2025 |
VMware ESXi TOCTOU OOB Write Allows VM Admin Code Exec as VMXVMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. |
ESXi
Cloud Foundation
Workstation
And others... |
| CVE-2025-22225 | Mar 04, 2025 |
VMware ESXi Arbitrary Write Escape via VMX Kernel WriteVMware ESXi contains an arbitrary write vulnerability. A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox. |
ESXi
Cloud Foundation
Telco Cloud Infrastructure
And others... |
| CVE-2024-53031 | Mar 03, 2025 |
Memory Corruption in VMware ESXi Hypervisor via Guest-Controlled BufferMemory corruption while reading a type value from a buffer controlled by the Guest Virtual Machine. |
ESXi
|