CVE-2025-41250

CWE-77 — Command Injection3 documents3 sources

Severity

8.5HIGH

EPSS

0.1%

top 77.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Cloud Foundation Vmware Vcenter Vmware Vsphere Foundation +2 more

Timeline

PublishedSep 29

Description

VMware vCenter contains an SMTP header injection vulnerability. A malicious actor with non-administrative privileges on vCenter who has permission to create scheduled tasks may be able to manipulate the notification emails sent for scheduled tasks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:LExploitability: 3.1 | Impact: 4.7

Affected Packages5 packages

▶CVEListV5vmware/vcenter8.0 — 8.0 U3g+1

▶CVEListV5vmware/cloud_foundation9.x.x.x — 9.0.1.0+2

▶CVEListV5vmware/vsphere_foundation9.x.x.x — 9.0.1.0

▶CVEListV5vmware/telco_cloud_platform5.x, 4.x, 3.x, 2.x

▶CVEListV5vmware/telco_cloud_infrastructure3.x, 2.x

🔴Vulnerability Details

GHSA

GHSA-5qfp-g44c-j8xm: VMware vCenter contains an SMTP header injection vulnerability↗2025-09-29

▶

CVEList

Header injection vulnerability↗2025-09-29

▶