Product Release
| Product | Version | Release Date | Download | Release Notes |
|---|---|---|---|---|
| vCenter Server | 7.0 u3 v | 05/20 | Download | Release Notes |
| ESXi | 7.0 u3 v | 05/20 | Download | Release Notes |
| Skyline Health Diagnostics | 4.0.9 | 05/30 | Download | Release Notes |
VMware Security Advisories
| VMSA-2025-0009 [HIGH] VMware Cloud Foundation | CVSSv3 7.3 – 8.2 |
|---|---|
| CVE(s) – VMware Cloud Foundation Directory Traversal Vulnerability (CVE-2025-41229) – VMware Cloud Foundation Information Disclosure Vulnerability (CVE-2025-41230) – VMware Cloud Foundation Missing Authorisation Vulnerability (CVE-2025-41231) Description CVE-2025-41229: VMware Cloud Foundation contains a directory traversal vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2. A malicious actor with network access to port 443 on VMware Cloud Foundation may exploit this issue to access certain internal services. To remediate CVE-2025-41229 apply the updates listed in the ‚Fixed Version‘ column of the ‚Response Matrix‘ below to affected deployments. VMware would like to thank Gustavo Bonito of NATO Cyber Security Centre (NCSC) for reporting this issue to us. CVE-2025-41230: VMware Cloud Foundation contains an information disclosure vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5. A malicious actor with network access to port 443 on VMware Cloud Foundation may exploit this issue to gain access to sensitive information. To remediate CVE-2025-41230 apply the updates listed in the ‚Fixed Version‘ column of the ‚Response Matrix‘ below to affected deployments. VMware would like to thank Gustavo Bonito of NATO Cyber Security Centre (NCSC) for reporting this issue to us. CVE-2025-41231: VMware Cloud Foundation contains a missing authorisation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3. A malicious actor with access to VMware Cloud Foundation appliance may be able to perform certain unauthorised actions and access limited sensitive information. To remediate CVE-2025-41231 apply the updates listed in the ‚Fixed Version‘ column of the ‚Response Matrix‘ below to affected deployments. VMware would like to thank Gustavo Bonito of NATO Cyber Security Centre (NCSC) for reporting this issue to us. | |
| Version | CVE | Fixed Version | Workaround |
|---|---|---|---|
| 5.x | CVE-2025-41229, CVE-2025-41230, CVE-2025-41231 | 5.2.1.2 | None |
| 4.x | CVE-2025-41229, CVE-2025-41230, CVE-2025-41231 | KB398008 | None |
| VMSA-2025-0010 [HIGH] VMware Cloud Foundation | VMware Fusion | VMware Workstation | VMware Telco Cloud Infrastructure | VMware Telco Cloud Platform | VMware vCenter Server | VMware vSphere ESXi | CVSSv3 4.3 – 8.8 |
|---|---|
| CVE(s) – VMware vCenter Server authenticated command-execution vulnerability (CVE-2025-41225) – Guest Operations Denial-of-Service Vulnerability (CVE-2025-41226) – Denial-of-Service Vulnerability (CVE-2025-41227) – VMware ESXi and vCenter Server Reflected Cross Site Scripting (XSS) Vulnerability (CVE-2025-41228) Description CVE-2025-41225: The vCenter Server contains an authenticated command-execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8. A malicious actor with privileges to create or modify alarms and run script action may exploit this issue to run arbitrary commands on the vCenter Server. To remediate CVE-2025-41225 apply the updates listed in the ‚Fixed Version‘ column of the ‚Response Matrix‘ below to affected deployments. VMware would like to thank Oliver Bachtik and Bert De Bruijn for reporting this issue to us. CVE-2025-41226: VMware ESXi contains a denial-of-service vulnerability that occurs when performing a guest operation. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.8. A malicious actor with guest operation privileges on a VM, who is already authenticated through vCenter Server or ESXi may trigger this issue to create a denial-of-service condition of guest VMs with VMware Tools running and guest operations enabled.To remediate CVE-2025-41226 apply the updates listed in the ‚Fixed Version‘ column of the ‚Response Matrix‘ below to affected deployments. VMware would like to thank security researcher Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) of Statnett (Norway) and Uros Orozel for independently reporting this issue to us. CVE-2025-41227: VMware ESXi, Workstation, and Fusion contain a denial-of-service vulnerability due to certain guest options. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.5. A malicious actor with non-administrative privileges within a guest operating system may be able to exploit this issue by exhausting memory of the host process leading to a denial-of-service condition. To remediate CVE-2025-41227 apply the updates listed in the ‚Fixed Version‘ column of the ‚Response Matrix‘ below to affected deployments. VMware would like to thank the National Security Agency for reporting this issue to us. CVE-2025-41228: VMware ESXi and vCenter Server contain a reflected cross-site scripting vulnerability due to improper input validation. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.3. A malicious actor with network access to the login page of certain ESXi host or vCenter Server URL paths may exploit this issue to steal cookies or redirect to malicious websites. To remediate CVE-2025-41228 apply the updates listed in the ‚Fixed Version‘ column of the ‚Response Matrix‘ below to affected deployments. VMware would like to thank Huang for reporting this issue to us. | |
| Product (Version) | CVE | Fixed Version | |
|---|---|---|---|
| vCenter Server (8) | CVE-2025-41225, CVE-2025-41228 | 8.0 U3e | |
| vCenter Server (7) | CVE-2025-41225 | 7.0 U3v | |
| VMware ESXi (8) | CVE-2025-41226, CVE-2025-41227, CVE-2025-41228 | ESXi80U3se-24659227 | |
| VMware ESXi (7) | CVE-2025-41226, CVE-2025-41227, CVE-2025-41228 | ESXi70U3sv-24723868 | |
| VMware Cloud Foundation (vCenter) (5.x) | CVE-2025-41225, CVE-2025-41228 | Async patch to 8.0 U3e | |
| VMware Cloud Foundation (vCenter) (4.5.x) | CVE-2025-41225 | Async patch to 7.0 U3v | |
| VMware Cloud Foundation (ESXi) (5.x) | CVE-2025-41226, CVE-2025-41227, CVE-2025-41228 | Async patch to ESXi80U3se-24659227 | |
| VMware Cloud Foundation (ESXi) (4.5.x) | CVE-2025-41226, CVE-2025-41227, CVE-2025-41228 | Async patch to ESXi70U3sv-24723868 | |
| VMware Telco Cloud Platform (ESXi) (5.x, 4.x, 3.x, 2.x) | CVE-2025-41226, CVE-2025-41227, CVE-2025-41228 | ESXi80U3se-24659227 | |
| VMware Telco Cloud Infrastructure (ESXi) (3.x) | CVE-2025-41226, CVE-2025-41227, CVE-2025-41228 | ESXi80U3se-24659227 | |
| VMware Telco Cloud Infrastructure (ESXi) (2.x) | CVE-2025-41226, CVE-2025-41227, CVE-2025-41228 | ESXi70U3sv-24723868 | |
| VMware Telco Cloud Platform (vCenter) (5.x, 4.x, 3.x, 2.x) | CVE-2025-41225, CVE-2025-41228 | 8.0 U3e | |
| VMware Telco Cloud Infrastructure (vCenter) (3.x) | CVE-2025-41225 | 8.0 U3e | |
| VMware Telco Cloud Infrastructure (vCenter) (2.x) | CVE-2025-41225 | 7.0 U3v | |
| VMware Workstation (17.x) | CVE-2025-41227 | 17.6.3 | |
| VMware Fusion (13.x) | CVE-2025-41227 | 13.6.3 | |
Product Lifecycle
| Product | Version | EOL |
|---|---|---|
| VMware Data Services Manager | 2.1.2 | 24.06.2025 |
| Uhana by VMware | 0.52.3 | 30.06.2025 |
| Uhana by VMware | 0.52.4 | 30.06.2025 |
| Uhana by VMware | 0.52.5 | 30.06.2025 |
| Uhana by VMware | 0.52.6 | 30.06.2025 |
| VMware Data Services Manager | 2.1.3 | 16.07. 2025 |
| VMware Kubernetes Container Clusters Plug-in | 4.1.1 | 18.07.2025 |
| VMware HCX | 4.10 | 27.07.2025 |
| VMware HCX | 4.10.1 | 27.07.2025 |
| VMware HCX | 4.10.2 | 27.07.2025 |
| VMware HCX | 4.10.3 | 27.07.2025 |
| TKr 1.29.4 for vSphere 8.x | 1.29.4 | 28.07.2025 |
| VMware Integrated OpenStack | 7.3 | 31.07.2025 |
| VMware vCenter Converter | 6.6.0 | 22.09.2025 |
| TKr 1.30.1 for vSphere 8.x | 1.30.1 | 28.09.2025 |
| TKr 1.30.8 for vSphere 8.x | 1.30.8 | 28.09.2025 |
KB Articles
| KB Article | ID |
|---|---|
| ESXi hosts may PSOD during upgrade from NSX 3.2.x or 4.0.x/4.1.x to 4.2.2 due to NSX VSIP module panic. | |
| VSAN health check failed: vSAN cluster partition when trying to patch stretched cluster to ESXI 8.0U3d | 399632 |
| Data Services Manager – Upgrade to 2.2.2 from 2.2.1 fails | 399627 |
| ESXi host cannot install VIBs – shows non-compliant after performing baseline/image remediation. | 399620 |
| NSX manager syslog is not reporting user succesful LOGIN events | 399588 |
| VM Guest Metrics Missing in Aria Operations | 399513 |
| vSAN — ESXi Host vSAN Storage is down after moving vSAN Cluster to another vCenter | 399504 |
| vSAN traces daemon (vsantraced service) fails with admission failure errors | 399290 |
| Disruptive actions for Aria Operations for Logs cluster that could cause data loss | 399260 |
| Networking not found after reboot of VIDM cluster | 399247 |
| Multicast traffic between VLAN and Overlay segment through edge bridge doesn’t work. | 399231 |
| Global Manager Missing from Upgrade Menu in Federation Environment | 399224 |
| Upgrade vSAN Data Protection Appliance to new patches | 399210 |
| Grayed out certificate cannot be removed | 399204 |
| HA Event and resource utilization | 399125 |
| NSX upgrade page show blank | 399060 |
| The limitation of Proactive HA in 2-node vSphere HA cluster | 398787 |
Podcast | Webinar | Blog Posts
| City of Fort Lauderdale – VMware Modernization Project VMware CMTY Podcast #727 | 06/04 Podcast |
|---|---|
| Join us for Podcast #727 as we dive into the City of Fort Lauderdale’s VMware Modernization Project with CIO Tamecka McKay and SME & Division Manager Derek Richardson. They’ll share how they’re transforming IT infrastructure, managing large-scale modernization efforts, and overcoming challenges along the way. Plus, we’ll explore Tamecka’s VMUG journey, how community involvement has shaped careers, and her insights from VMware Explore. Don’t miss this episode packed with real-world lessons and expert insights! | |
| The Modern VKS: Unlocking What’s Already Inside Your VKS VCF – vSphere Kubernetes Service (VKS) | Youtube |
|---|---|
| You’ve already got the tools—now it’s time to unlock their full potential. Join VMware by Broadcom’s own Bryan Sullins for a lively, myth-busting session exploring the modern VKS. We’ll unpack what’s changed, what’s possible, and how to take advantage of features […] | |
| Mastering Get-View: Enhance vCenter User Auditing VCF – PowerCLI | Blogpost |
|---|---|
| If you’re already using PowerCLI, you know it’s a powerhouse for automating routine tasks. But you might not know it can unlock advanced operations. These operations are nearly impossible to achieve through the sphere UI alone. PowerCLI: More Than Meets the Eye At VMware, we […] | |
| VMware Cloud Foundation: Don’t Forget About SSO Service Accounts VMware Cloud Foundation – Webinar Series | Webinar |
|---|---|
| Are you still using spreadsheets to plan capacity in your Virtual infrastructure? One key requirement when delivering a modern and robust private cloud is to always ensure sufficient capacity for running the apps that grow the business. Unlike Public Clouds, private clouds do not have endless resources, so the ability to manage, monitor, and forecast capacity is critical to success. In this session, learn how VCF Operations can support not only driving a capacity-efficient private cloud but also forecast capacity growth and, ultimately, get rid of those spreadsheets!Speaker: Christopher Lewis. Lead Solutions Architect, VCF Specialist UK&I | |
| Norwegian Public Roads Administration Accelerates Service Delivery and Innovation with VMware Cloud Foundation VMware Cloud Foundation | Blogpost |
|---|---|
| Norwegian Public Roads Administration (Statens vegvesen) is the government agency responsible for national and county public roads in Norway. Its remit includes the construction and maintenance of the road network, as well as vehicle inspection, driver training and road safety. With a vision to create a more intelligent, safe and connected transportation ecosystem, the agency wanted to modernize its IT infrastructure to support innovative initiatives like intelligent transport systems and expanded public data access. Interview: Ketil Bårdsnes (Team Leader for Central Infrastructure NPRA) – Youtube | |
| VCF 9.0 Hardware Considerations williamlam.com | Blogpost |
|---|---|
| It is VERY important to understand that VMware/Broadcom does NOT certify hardware and I/O devices, which is still a common miss-conception and/or FUD being thrown out in the community. Our OEM partners ultimately decide which devices to certify for each release and they may choose NOT to re-certify devices for a number of reasons including earlier end-of-sales and end-of-life support. This is not unique to VCF 9.0 and it is not unique pre or post-acquisition of VMware. | |