Broadcom has issued a security update addressing a denial-of-service (DoS) vulnerability affecting several VMware products, including vCenter Server, VMware Cloud Foundation, and specific telecommunications platforms. The flaw, identified as CVE-2025-41241, allows a malicious authenticated actor with permissions to perform guest OS customization API calls to trigger a denial-of-service condition.
A Moderate Risk With Significant Implications
Although rated as moderate severity (CVSSv3 score of 4.4), the central role of vCenter in virtualized environments means this vulnerability should not be underestimated.
Potential impact: An attacker with valid credentials could exploit this flaw to disrupt essential services within a virtualized environment, affecting the availability of critical virtual machines.
Affected Products
- VMware vCenter Server versions 7.0 and 8.0
- VMware Cloud Foundation versions 4.5.x and 5.x
- VMware Telco Cloud Platform versions 5.x and 2.x
- VMware Telco Cloud Infrastructure version 2.x
Fixes and Mitigation
Broadcom strongly recommends applying the available patches immediately based on the product version:
| Product | Version | Available Patch |
|---|---|---|
| vCenter Server 8.0 | 8.0 U3g | Download |
| vCenter Server 7.0 | 7.0 U3v | Download |
| Cloud Foundation 5.x | — | Async patch to 8.0 U3g |
| Cloud Foundation 4.5.x | — | Async patch to 7.0 U3v |
| Telco Cloud Platform / Infrastructure | — | See KB405542 |
No workarounds are available, which makes patching even more urgent.
Acknowledgement and Industry Response
The vulnerability was responsibly disclosed by Orange-CERT-CC, with credit to researchers Clément Breuil and Arnaud Magendie, highlighting the increasing collaboration between European cybersecurity teams and global vendors like Broadcom.
Recommendations
- System administrators and security officers should review their environments and apply the appropriate patches as outlined in Broadcom’s response matrix.
- In production environments, it is advisable to test patches in staging before deployment.
Another Reminder of the Complexity of Infrastructure Software
This latest advisory comes as Broadcom, following its acquisition of VMware, faces industry scrutiny over changes to licensing models, product offerings, and security posture. Timely and coordinated patch releases will be key to maintaining trust among enterprises relying on VMware as the backbone of their IT infrastructure.
More official resources:
Conclusion: While this is not a critical vulnerability, its potential to cause operational disruptions makes it imperative for organizations to act swiftly and responsibly.
source: support.broadcom.com
