VMware Cloud Foundation Missing Authorisation Vulnerability

Vulnerability

VMware Cloud Foundation contains a missing authorization vulnerability (CVE-2025-41231). The flaw allows a malicious actor with access to the VMware Cloud Foundation appliance to perform certain unauthorized actions and access limited sensitive information. The specific component and exact conditions required to reach the vulnerable code path have not been disclosed in the advisory. Affected versions include VMware Cloud Foundation deployments prior to the updates specified in VMSA-2025-0009 [1].

Exploitation

An attacker must have access to the VMware Cloud Foundation appliance, implying a prior foothold or authenticated access. The advisory does not detail the precise steps or attack vector required to trigger the missing authorization. The vulnerability is distinct from CVE-2025-41229 (directory traversal) and CVE-2025-41230 (information disclosure), which require network access to port 443 [1].

Impact

Successful exploitation enables the attacker to perform actions that should be restricted and access limited sensitive information. The level of privilege achieved and the nature of the unauthorized actions are not fully described, but the CVSSv3 base score range for the advisory is 7.3-8.2, indicating high severity [1].

Mitigation

Broadcom (VMware) has released updates to remediate this vulnerability. The fixed versions are listed in the 'Fixed Version' column of the Response Matrix in VMSA-2025-0009 [1]. No workarounds are available. Affected users should apply the updates as soon as possible.