What is the CVSS score of CVE-2025-41250?

CVE-2025-41250 has a CVSS 3.1 base score of 8.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L. EPSS exploitation probability: 0.1%.

Which versions of VMware are affected by CVE-2025-41250?

Organizations using VMware vCenter face significant risk from CVE-2025-41250, a command injection vulnerability rated CVSS 8.5.

How to fix or mitigate CVE-2025-41250?

Within 30 days: Identify all affected systems and apply vendor patches as part of regular patch cycle. Validate that input sanitization is in place for all user-controlled parameters.

VMware CVE-2025-41250

HIGH

Command Injection (CWE-77)

2025-09-29 security@vmware.com

Command Injection VMware

8.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:14 vuln.today

CVE Published

Sep 29, 2025 - 18:15 nvd

HIGH 8.5

DescriptionNVD

VMware vCenter contains an SMTP header injection vulnerability. A malicious actor with non-administrative privileges on vCenter who has permission to create scheduled tasks may be able to manipulate the notification emails sent for scheduled tasks.

AnalysisAI

VMware vCenter contains an SMTP header injection vulnerability. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Command Injection (CWE-77), which allows attackers to inject arbitrary commands into system command execution. VMware vCenter contains an SMTP header injection vulnerability. A malicious actor with non-administrative privileges on vCenter who has permission to create scheduled tasks may be able to manipulate the notification emails sent for scheduled tasks.

Affected ProductsAI

See vendor advisory for affected versions.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized APIs, avoid shell execution, validate input with strict allowlists.

CVE-2025-41250 vulnerability details – vuln.today

Back