Important security update for VMware NSX administrators: On June 4, 2025, Broadcom (VMware) announced three critical Stored Cross-Site Scripting (XSS) vulnerabilities affecting the NSX platform. This guide provides detailed information about each vulnerability and step-by-step patching instructions.

 

1. Vulnerability Overview and Risk Assessment

All three discovered vulnerabilities stem from improper input validation issues in the NSX platform, exposing systems to Stored XSS attacks.

🔑 Key Information: Unified Patch All three vulnerabilities (CVE-2025-22243, CVE-2025-22244, CVE-2025-22245) are resolved simultaneously with a single NSX upgrade. Individual patches are not required for each vulnerability—upgrading to the latest NSX version addresses all three vulnerabilities at once.

The vulnerability details are as follows:

CVE Number	Affected Component	CVSS Score	Severity Level
CVE-2025-22243	NSX Manager UI	7.5	Important (High)
CVE-2025-22244	Gateway Firewall	6.9	Moderate
CVE-2025-22245	Router Port	5.9	Moderate

Affected Products:

• VMware NSX 4.0.x, 4.1.x, 4.2.x (all versions)
• VMware Cloud Foundation 4.5.x, 5.0.x, 5.1.x, 5.2.x
• VMware Telco Cloud Platform 2.x, 3.x

 

 

2. CVE-2025-22243: Critical XSS in NSX Manager UI

2-1. Vulnerability Analysis

CVE-2025-22243 represents the highest-risk vulnerability among the three, occurring in the NSX Manager User Interface. The core issue is insufficient input validation in network configuration fields.

Attack Scenario:

1. Attacker gains network configuration modification privileges
2. Malicious JavaScript code injected into DNS name or IP address description fields
3. Scripts execute automatically when other administrators view the compromised settings
4. Secondary attacks such as session hijacking and credential theft may occur

2-2. Affected Menu Paths

• System > Networking > Segments
• System > Networking > Tier-0 Gateways
• System > Networking > Tier-1 Gateways
• System > Inventory > Groups

 

 

3. CVE-2025-22244: Gateway Firewall URL Filtering Vulnerability

3-1. Vulnerability Mechanism

CVE-2025-22244 occurs in the Gateway Firewall’s URL filtering functionality. This vulnerability allows malicious scripts to execute in response pages displayed when users attempt to access blocked websites.

Attack Process:

1. Attacker obtains Gateway Firewall configuration privileges
2. Modifies HTML templates for URL filtering response pages
3. Injects malicious <script> tags or event handler attributes
4. Regular users attempt to access blocked sites
5. Malicious code executes in the browser within NSX UI domain context

3-2. Configuration Paths and Target Menus

• Security > Gateway Firewall
• Security > URL Analysis
• System > Configuration > Custom Response Pages

 

 

4. CVE-2025-22245: Router Port Management Interface Vulnerability

4-1. Vulnerability Characteristics

CVE-2025-22245 occurs in the Router Port management interface, caused by improper input validation in port description fields.

Attack Vector:

1. Attacker with router port creation/modification privileges
2. Malicious script code injected into port description fields
3. Code executes when other users access the port information
4. Privilege escalation attacks attempted within administrator sessions

4-2. Affected Configuration Areas

• Networking > Connectivity > Segments
• Networking > Connectivity > Tier-0 Gateways > Interfaces
• Networking > Connectivity > Tier-1 Gateways > Interfaces

 

 

5. Unified Patch Installation Method (Resolves All 3 Vulnerabilities)

💡 Key Point: Single Upgrade Resolves All Vulnerabilities

To emphasize once more: CVE-2025-22243, CVE-2025-22244, and CVE-2025-22245 are all resolved simultaneously through a single NSX upgrade process. No separate patches or configuration changes are required for individual vulnerabilities.

According to Broadcom’s official Response Matrix, upgrading to the “Fixed Version” shown below resolves all three vulnerabilities automatically:

Current Version Range	Unified Patch Version	Resolved CVEs
NSX 4.2.x	NSX 4.2.2.1	CVE-2025-22243, CVE-2025-22244, CVE-2025-22245
NSX 4.2.1.x	NSX 4.2.1.4	CVE-2025-22243, CVE-2025-22244, CVE-2025-22245
NSX 4.1.x, 4.0.x	NSX 4.1.2.6	CVE-2025-22243, CVE-2025-22244, CVE-2025-22245

5-1. Prerequisites

Before installing the patch, verify the following:

1. Check Current NSX Version
   • Navigate to NSX Manager UI → System > Support to verify version information
2. Create Backups
   • NSX Manager configuration backup: System > Backup & Restore
   • vCenter snapshots recommended
3. Plan Maintenance Window
   • NSX Manager upgrade: approximately 15-20 minutes
   • Edge Node upgrade: 15-20 minutes per node

5-2. Download Patch Versions

Download the appropriate patch version for your current environment:

Current Version	Patch Version	Download Link
NSX 4.2.x	NSX 4.2.2.1	Broadcom Support Portal
NSX 4.2.1.x	NSX 4.2.1.4	Broadcom Support Portal
NSX 4.1.x, 4.0.x	NSX 4.1.2.6	Broadcom Support Portal

Download Files:

• Upgrade bundle: VMware-NSX-upgrade-bundle-{version}.mub (approximately 8GB)
• Pre-check file: VMware-NSX-upgrade-bundle-{version}-pre-check.pub

5-3. Execute Upgrade via NSX Manager

Step 1: Upgrade Preparation and Pre-check

1. Access NSX Manager UI
   • Navigate to https://nsx-manager-fqdn in browser
2. Go to System > Lifecycle Management > Upgrade
3. Click “Upgrade” button
4. Upgrade Readiness Check
   • Click “Upload Pre-Check Upgrade Bundle”
   • Select downloaded .pub file
   • Execute check and review results

Step 2: Upload Upgrade Bundle

1. Click “Next” in the “Prepare for Upgrade” step
2. Upload Main Upgrade Bundle
   • Click “Upload Upgrade Bundle”
   • Select downloaded .mub file (approximately 8GB)
   • Wait for upload completion (10-30 minutes depending on network speed)

Step 3: Execute Sequential Upgrade

The upgrade proceeds automatically in the following order:

1. Deploy Upgrade Coordinator
   • Click “Begin Upgrade” button
   • Wait for coordinator installation completion
2. NSX Manager Cluster Upgrade
   • Each Manager node upgrades sequentially
   • VIP (Virtual IP) may be temporarily affected
3. NSX Edge Node Upgrade
   • Sequential upgrade of Edge nodes
   • Network services may be temporarily interrupted
4. ESXi Host Upgrade
   • Transport Node upgrade
   • Automatic maintenance mode entry/exit per host

5-4. Monitor Upgrade Progress

Monitor upgrade progress using the following methods:

NSX Manager UI Monitoring:

• Real-time status check on System > Lifecycle Management > Upgrade page

CLI Monitoring:

# SSH to NSX Manager CLI
ssh admin@nsx-manager-ip

# Check upgrade status
get upgrade status

# Monitor upgrade logs
get log follow file upgrade.log

 

 

6. Post-Upgrade Verification and Checks

6-1. Verify All 3 Vulnerabilities Patched

After patch installation, verify that all three vulnerabilities have been resolved using the following methods:

1. Verify Version Information
   • NSX Manager UI → System > Support
   • Confirm upgraded version is one of the following:
     • NSX 4.2.2.1 or higher
     • NSX 4.2.1.4 or higher
     • NSX 4.1.2.6 or higher
2. Confirm Vulnerability Resolution Status
   • Check version information in System > General > Details
   • All CVE-2025-22243, CVE-2025-22244, CVE-2025-22245 are resolved in these versions
3. Comprehensive Security Status Check

   # Verify via NSX Manager CLI
   ssh admin@nsx-manager-ip
   get version
   get security-status
   

✅ Verification Checklist:

• [ ] NSX Manager version is at patch level or higher?
• [ ] All NSX Edge nodes have been upgraded?
• [ ] Transport node upgrades completed?
• [ ] Overall system status is normal?

6-2. Functional Validation Testing

1. Network Connectivity Tests
   • Verify VM-to-VM communication
   • Test external network access
2. Firewall Rule Operation Verification
   • Confirm DFW (Distributed Firewall) policy operation
   • Validate Gateway Firewall rule application status
3. Load Balancer Service Verification
   • Check LB virtual server status
   • Verify health check normal operation

 

 

7. Additional Security Recommendations

7-1. Strengthen Access Control Management

Since all vulnerabilities involve attacks by users with specific privileges, proper access control management is crucial:

1. Apply Principle of Least Privilege
   • Grant network configuration privileges only to minimum necessary users
   • Regular privilege review and cleanup
2. Multi-Factor Authentication Setup
   • Enable 2FA (Two-Factor Authentication) for NSX Manager access
   • Configure in System > User Management

7-2. Enhanced Logging and Monitoring

1. Enable Audit Logging
   • Enable logging in System > Configuration > Auditing
   • Strengthen configuration change tracking
2. SIEM Integration Recommended
   • Forward NSX events to external SIEM solutions
   • Configure automatic detection of anomalous behavior patterns

7-3. Regular Security Updates

1. Monitor Security Advisories
   • Regular review of Broadcom Security Advisories
   • Establish security patch application schedule
2. Regular Vulnerability Scanning
   • Perform regular security scans of NSX environment
   • Consider third-party security assessment services

 

 

8. Frequently Asked Questions (FAQ)

Q1. Do I need to patch each of the three CVEs individually?

A: No. A single NSX upgrade resolves CVE-2025-22243, CVE-2025-22244, and CVE-2025-22245 simultaneously. No separate patches or configurations are required for each vulnerability.

Q2. Are there any temporary workarounds without upgrading?

A: According to official Broadcom documentation, all vulnerabilities specify “Workarounds: None”. Therefore, upgrade is the only solution.

Q3. How should I patch in a Cloud Foundation environment?

A: In VMware Cloud Foundation environments, use the Async Patch method:

• Refer to KB article 88287
• Apply asynchronous patches through VCF Lifecycle Manager

Q4. Can I prioritize resolving specific vulnerabilities?

A: This is technically impossible. All three vulnerabilities relate to input validation logic in NSX core components, so they can only be resolved through unified code modifications.

Q5. What is the service impact during upgrade?

A:

• NSX Manager: 15-20 minutes sequential restart per node (temporary VIP impact)
• NSX Edge: 15-20 minutes upgrade per node (traffic rerouting recommended)
• ESXi Hosts: Automatic maintenance mode entry/exit (minimal VM impact)

Q6. Which version should I upgrade to?

A: Choose based on your current version:

• NSX 4.2.x → NSX 4.2.2.1
• NSX 4.2.1.x → NSX 4.2.1.4
• NSX 4.1.x/4.0.x → NSX 4.1.2.6

 

 

The three VMware NSX XSS vulnerabilities (CVE-2025-22243, CVE-2025-22244, CVE-2025-22245) pose serious threats to network infrastructure security. Fortunately, a single unified upgrade resolves all three vulnerabilities, reducing management complexity.

🔑 Key Summary:

• 3 vulnerabilities = 1 upgrade to resolve
• No individual patches required for each vulnerability
• Upgrading to NSX 4.2.2.1, 4.2.1.4, or 4.1.2.6 automatically resolves all vulnerabilities

Following the step-by-step method outlined in this guide will ensure safe resolution. Be sure to thoroughly prepare planning and backups to minimize service interruption during the upgrade process.

After patch application, verify that all services are operating normally through validation testing. Additionally, strengthening access control management and logging systems is important to prepare for similar security threats in the future.

If you encounter issues during the patch application process or need additional assistance, contact Broadcom Technical Support or seek help through the NSX community. 🙂