VMware NSX Advisory VMSA-2025-0012: Stored XSS Vulnerabilities in VMware NSX Manager and Firewall
What Is It?
On June 4, 2025, Broadcom issued Security Advisory VMSA-2025-0012 disclosing three stored cross-site scripting (XSS) vulnerabilities affecting VMware NSX. These flaws exist within the NSX Manager user interface, Gateway Firewall, and Router Port components. They are tracked as CVE-2025-22243, CVE-2025-22244, and CVE-2025-22245. These vulnerabilities impact multiple NSX versions including 4.1.x, 4.2.1.x, and 4.2.x, and extend to affected deployments of VMware Cloud Foundation and VMware Telco Cloud Platform. The assigned CVSSv3 base scores for these flaws range from 5.9 to 7.5, reflecting severity levels from Moderate to Important.
Each vulnerability allows an authenticated user with specific privileges to inject malicious scripts that become persistently stored within the NSX Manager environment. Once stored, these scripts are triggered when other users access the affected UI components.
Why Does It Matter?
NSX serves as the cornerstone for network virtualization and security within many enterprise environments. Stored XSS vulnerabilities in a platform like this introduce serious concerns related to session hijacking, unauthorized access, and data compromise. An attacker with sufficient access could plant a malicious script that executes whenever a more privileged user views a compromised page. This behavior could lead to impersonation of high-privilege accounts, unauthorized configuration changes, and exposure of sensitive data.
Because the vulnerabilities exist within critical control interfaces, the exploitation surface spans administrative workflows that organizations regularly rely upon to manage their virtualized networks. A successful exploit would not require external access, only the ability to inject malicious content through authenticated access. As such, it represents an insider threat or lateral movement opportunity for an attacker who has already gained a foothold in the network.
Risk Scenarios
In one scenario, a user with access to the NSX Manager interface could modify configuration fields in a way that embeds JavaScript code. When a system administrator later views these altered fields, the script silently executes in the administrator’s browser, potentially stealing session tokens or performing unauthorized actions on their behalf.
Another scenario involves tampering with Gateway Firewall responses. An attacker could inject scripts that get rendered during URL filtering operations, exposing unsuspecting users to malicious payloads simply by triggering those filters through normal web access.
A final case may involve router port configuration manipulation. Here, an attacker could embed harmful content in the display elements for router port settings, waiting for another user to inspect them during routine management. The risk arises from trusted users unknowingly activating malicious actions by performing their standard administrative duties.
What Can I Do About It?
Organizations running affected versions of NSX should prioritize upgrading to fixed releases immediately. Specifically, environments using NSX 4.2.x should upgrade to version 4.2.2.1. Those on 4.2.1.x should move to 4.2.1.4, and those on 4.1.x should patch to version 4.1.2.2. These releases contain the necessary fixes to eliminate the stored XSS vulnerabilities.
In addition to applying patches, administrators should audit current user roles and privileges to ensure that access to UI components capable of injecting persistent content is tightly controlled. Input validation within administrative fields should be reviewed to prevent injection of unauthorized scripts. Regular security monitoring should include the inspection of configuration changes and logs for unexpected modifications that may indicate an exploit attempt.
Where possible, enforce least privilege access and segment high-risk administrative roles away from non-privileged users. This helps reduce the attack surface in case of a compromised internal account.
Conclusion: Bottom Line
VMSA-2025-0012 highlights the real risk posed by stored XSS vulnerabilities within VMware NSX. These flaws demonstrate how legitimate administrative interfaces can be weaponized by insiders or lateral attackers to compromise trust, elevate privileges, and gain persistent access. Prompt remediation through vendor patches is essential. Just as critical is the reinforcement of user privilege models and validation controls within NSX environments. Organizations must act decisively to apply the provided fixes and review their internal processes to prevent future exposure.
References
Broadcom Security Advisory VMSA-2025-0012
CVE-2025-22243
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22243
CVE-2025-22244
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22244
CVE-2025-22245
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22245
CVSS Calculator