A critical vulnerability in VMware vCenter Server has been disclosed by VMware. Tracked as CVE-2025-41225, the flaw allows authenticated users to execute arbitrary system commands by leveraging the alarm script feature. The issue is classified as high severity and affects multiple VMware platforms.
Vulnerability Summary:
The VMware vCenter Server command execution vulnerability is caused by improper neutralization of special elements in OS commands (CWE-78). It affects systems where users have permissions to create or modify alarms with custom script actions. Exploiting this vulnerability allows attackers to run arbitrary commands on the server operating system.
Technical Details:
- CVE: 2025-41225
- CWE: CWE-78 (OS Command Injection)
- CVSS v3.1 Score: 8.8 (High)
- Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- Privileges Required: Low (alarm configuration access)
- User Interaction: None
- Scope: Changed
- Impact: Complete compromise of system confidentiality, integrity, and availability
Affected Software:
VMware vCenter Server
- Versions affected:
- 8.0 before Update 3e
- 7.0 before Update 3v
VMware Cloud Foundation
- Affected versions:
- 5.x
- 4.5.x
VMware Telco Cloud Platform
- Affected versions:
- 5.x, 4.x, 3.x, 2.x
VMware Telco Cloud Infrastructure
- Affected versions:
- 3.x, 2.x
Mitigation and Patching:
To address the VMware vCenter Server command execution vulnerability, VMware recommends upgrading to the following versions:
- vCenter Server 8.0 U3e or later
- vCenter Server 7.0 U3v or later
Patches for related VMware platforms are expected to align with vCenter updates. Until patched, restrict alarm modification privileges to trusted administrators and audit existing alarm configurations for misuse.
No workarounds are available. Patching is required for mitigation.