CVE-2025-41228
published 2025-05-20CVE-2025-41228: VMware ESXi and vCenter Server contain a reflected cross-site scripting vulnerability due to improper input validation. A malicious actor with network access…
medium4.3CVSS 3.1
AVNACLPRNUIRSUCLINAN
EXPLOIT
VMware ESXi and vCenter Server contain a reflected cross-site scripting vulnerability due to improper input validation. A malicious actor with network access to the login page of certain ESXi host or vCenter Server URL paths may exploit this issue to steal cookies or redirect to malicious websites.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | cloud_foundation | — | — |
| vmware | esxi | >= 7.0 < ESXi70U3sv-24723868 | ESXi70U3sv-24723868 |
| vmware | esxi | >= 8.0 < ESXi80U3se-24659227 | ESXi80U3se-24659227 |
| vmware | telco_cloud_infrastructure | — | — |
| vmware | telco_cloud_platform | — | — |
| vmware | vcenter_server | >= 8.0 < 8.0 U3e | 8.0 U3e |