High

Username Enumeration in VMware NSX Password Recovery Mechanism

IdentifiersCVE-2025-41251CWE-640· Weak Password Recovery Mechanism…

CVE-2025-41251 is a high-severity vulnerability in VMware NSX caused by a weak password recovery mechanism. The flaw allows a remote, unauthenticated attacker to interact with the password recovery functionality and distinguish whether a supplied username is valid based on differing application responses. The supporting content indicates the enumeration may be observable through differences such as error messages, HTTP status codes, or timing behavior. This affects VMware NSX 9.x.x.x, 4.2.x, 4.1.x, 4.0.x, NSX-T 3.x, and VMware Cloud Foundation deployments that include affected NSX versions. The issue is classified as CWE-640 and has a CVSS v3 score of 8.1.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to remotely enumerate valid usernames on the target NSX deployment without authentication. While the flaw does not itself provide code execution or direct privilege escalation, it materially reduces uncertainty for follow-on attacks by enabling targeted credential brute-force and password-spraying attempts against confirmed accounts. Internet-exposed NSX management interfaces are particularly at risk because the vulnerability can be used as a reconnaissance primitive to improve the efficiency and success probability of subsequent authentication attacks.

Mitigation

If you can’t patch tonight, do this now.

No vendor workaround is available according to the provided content. Until patches are applied, exposure can only be reduced operationally by limiting network access to NSX management interfaces, especially from untrusted networks, and by monitoring for password recovery abuse, username enumeration patterns, brute-force attempts, and password-spraying activity. Additional compensating controls such as rate limiting, MFA on administrative access paths where applicable, and segmentation of management interfaces may reduce follow-on risk but do not remediate the underlying flaw.

Remediation

Patch, then assume compromise.

Apply Broadcom's fixed releases for affected products. The content identifies the following fixed versions: VMware NSX 9.0.1.0; VMware NSX 4.2.2.2 or 4.2.3.1; VMware NSX 4.1.2.7; NSX-T 3.2.4.3; and the applicable VMware Cloud Foundation async patch referenced as KB88287/CCF async patch. Organizations should upgrade all affected NSX and NSX-backed Cloud Foundation deployments to the vendor-specified patched versions.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

BroadcomNsxapplication

BroadcomNsx-Tapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app

bleeping computerNews

Jan 26, 2026

CISA says critical VMware RCE flaw now actively exploited

A high-severity vulnerability in VMware NSX (details not provided in the content) for which Broadcom released patches.

the hacker newsNews

Oct 6, 2025

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

A critical vulnerability in Broadcom VMware, details not specified in the content.

scworldNews

Sep 30, 2025

Broadcom fixes three high-severity VMware bugs

A high-severity unauthenticated username enumeration vulnerability in VMware NSX/NSX-T that enables reconnaissance to validate accounts, facilitating subsequent credential-based attacks and potential chaining to deeper compromise.

bleeping computerNews

Sep 30, 2025

Broadcom fixes high-severity VMware NSX bugs reported by NSA

A high-severity VMware NSX vulnerability caused by a weakness in the password recovery mechanism that allows unauthenticated username enumeration.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-41251

NVD

nvd.nist.gov/vuln/detail/CVE-2025-41251

MITRE CWE · CWE-640

Weak Password Recovery Mechanism for Forgotten…

support.broadcom.com

support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36150