CVE-2025-41250
published 2025-09-29CVE-2025-41250: VMware vCenter contains an SMTP header injection vulnerability. A malicious actor with non-administrative privileges on vCenter who has permission to create…
high8.5CVSS 3.1
AVNACLPRLUINSCCNIHAL
VMware vCenter contains an SMTP header injection vulnerability. A malicious actor with non-administrative privileges on vCenter who has permission to create scheduled tasks may be able to manipulate the notification emails sent for scheduled tasks.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | cloud_foundation | — | — |
| vmware | cloud_foundation | >= 5.x < 5.2.2 | 5.2.2 |
| vmware | cloud_foundation | >= 9.x.x.x < 9.0.1.0 | 9.0.1.0 |
| vmware | telco_cloud_infrastructure | — | — |
| vmware | telco_cloud_platform | — | — |
| vmware | vcenter | >= 7.0 < 7.0 U3w | 7.0 U3w |
| vmware | vcenter | >= 8.0 < 8.0 U3g | 8.0 U3g |
| vmware | vsphere_foundation | >= 9.x.x.x < 9.0.1.0 | 9.0.1.0 |