📌 Overview

Broadcom has issued VMSA‑2025‑0014, a security advisory addressing a denial-of-service vulnerability (CVE‑2025‑41241) in VMware vCenter Server. The advisory was published on July 29, 2025.

In parallel, Broadcom released updates for multiple VMware products to address this and other issues.

📢 Update July 31, 2025: Heads up on ASLCM PATCH3. You need to manually edit /etc/fstab, otherwise it the patch will fail to mount /boot after reboot. See my blog post here for details..

📢 Update August 4, 2025: Added info about Orchestrator and Ops for Networks in the product updates list, as well as information about new pending patch for vIDM.

🛠️ Vulnerability Details

• Affected Component: VMware vCenter Server
• CVE Identifier: CVE‑2025‑41241
• Severity: Moderate (CVSS v3.1 base score: 4.4)
• Attack Vector: Requires authentication and access to guest OS customization APIs
• Impact: Could trigger a denial-of-service condition
• Workaround: None available, patching is required (vCenter 8U3g / 7U3v)

📦 Other VMware Product Updates

• ESXi 8.0 U3g – Release Notes
• Aria Suite Lifecycle 8.18 Patch 3 – Release Notes
• Workspace ONE Access / vIDM 3.3.7 – Patch KB404054 – ⚠️ Expecting an updated patch 2025-08-04, see this blog post.
• VMware Aria Operations 8.18.4 – Release Notes
• VMware Aria Operations for Logs 8.18.4 – Release Notes
• VMware Aria Automation 8.18.1 Cumulative Update #3 – Update KB403690
  • Includes update for Orchestrator 8.18.1 Cumultative Update #3
• VMware Aria Operations for Networks 6.14.1 has been mentioned, but update has not yet been made available per 2025-08-04.

✅ What You Should Do

• Identify any impacted vCenter Server deployments (7.0 or 8.0).
• Apply the relevant patches:
  • vCenter 8.0 → Update to U3g
  • vCenter 7.0 → Update to U3v
• Patch VMware Cloud Foundation and Telco Cloud products as per async guidance.
• Update affected products such as ESXi, WSA/vIDM, and Aria Suite components.
• Test and validate updates in a non-production environment before rolling out widely.

🔍 Why It Matters

Although this vulnerability is rated Moderate, it can be used by authenticated users or compromised accounts to disrupt vCenter Server operations. There’s no workaround, making timely patching essential, especially if you’re using guest OS customization APIs.

⚙️ Related Releases

• VMSA‑2025‑0013 (July 15, 2025), covered ESXi, Workstation, Fusion, and Tools vulnerabilities
• VMSA‑2025‑0012 (June 4, 2025), focused on NSX-related security issues