CVE-2025-41228
Description
VMware ESXi and vCenter Server contain a reflected cross-site scripting vulnerability in login page URL paths, allowing cookie theft or redirection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
VMware ESXi and vCenter Server contain a reflected cross-site scripting vulnerability in login page URL paths, allowing cookie theft or redirection.
Vulnerability
Overview
CVE-2025-41228 is a reflected cross-site scripting (XSS) vulnerability in VMware ESXi and vCenter Server, caused by improper input validation of certain URL paths on the login page [1]. This flaw allows an attacker to inject malicious script into the response, which is then executed in the victim's browser.
Exploitation
An attacker with network access to the login page of an affected ESXi host or vCenter Server can craft a specially crafted URL that, when visited by a user, triggers the XSS. No authentication is required, and the attack can be performed remotely over the network [1].
Impact
Successful exploitation enables the attacker to steal session cookies (leading to session hijacking) or redirect the victim to a malicious website, potentially for phishing or malware delivery [1].
Mitigation
Broadcom has released updates as part of VMSA-2025-0010 to remediate this vulnerability. Affected users should apply the latest patches for ESXi, vCenter Server, and related products. No workarounds are currently available [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to sanitize input passed via a query string to the `/folder` endpoint, resulting in arbitrary JavaScript execution."
Attack vector
A malicious actor with network access to the login page of certain ESXi host or vCenter Server URL paths may exploit this issue. The vulnerability requires an active session, such as one initiated via prior authentication, to successfully execute. The actor can inject a malicious payload into the query string of a request to the `/folder` endpoint. This payload is then reflected unencoded into an HTML form's `action` attribute, leading to script execution [ref_id=1].
Affected code
The vulnerability lies within the `/folder` endpoint of the VMware vSphere Client. Specifically, the application fails to sanitize input passed via a query string to this endpoint, reflecting it into an HTML form's `action` attribute without proper neutralization [ref_id=1].
What the fix does
The advisory does not specify a patch or provide remediation guidance. Therefore, the exact fix is not detailed. However, the vulnerability is described as improper input validation leading to cross-site scripting, suggesting that sanitizing or neutralizing user-controllable input before it is placed in output would address the issue [CWE-79].
Preconditions
- networkNetwork access to the login page of certain ESXi host or vCenter Server URL paths.
- authAn active authenticated session is required for the exploit to execute.
Reproduction
1. Initiate a request to the vulnerable endpoint, for example: `https://host/folder?ht7j4`. 2. Intercept and modify the request using Burp Suite to inject an XSS payload into the query string, such as: `GET /folder?ht7j4"><script>alert('ThisIsAnXSSBug')</script>tnkav=1 HTTP/2`. 3. Forward the modified request with an authenticated session (cookies included) to trigger script execution [ref_id=1].
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.