Detections
Analytics

VMware ESXi 7.x < 7.0 Update 3w / 8.x < 8.0 Update 2e / 8.0 Update 3 < 8.0 Update 3f (VMSA-2025-0013)

critical Nessus Plugin ID 242168

Language:

Synopsis

VMware ESXi is affected by multiple vulnerabilities.

Description

The version of VMware ESXi installed on the remote host is 7.x prior to 7.0 Update 3w, 8.x prior to 8.0 Update 2e, or 8.0 Update 3 prior to 8.0 Update 3f. It is, therefore, affected by multiple vulnerabilities as referenced in the VMSA-2025-0013 advisory:

 - VMware ESXi, Workstation, and Fusion contain an integer-overflow vulnerability in the VMXNET3 virtual network adapter. (CVE-2025-41236)

 - VMware ESXi, Workstation, and Fusion contain an integer-underflow in VMCI (Virtual Machine Communication Interface) that leads to an out-of-bounds write. (CVE-2025-41237)

 - VMware ESXi, Workstation, and Fusion contain a heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller that leads to an out of-bounds write. (CVE-2025-41238)

 - VMware ESXi, Workstation, Fusion, and VMware Tools contains an information disclosure vulnerability due to the usage of an uninitialised memory in vSockets. (CVE-2025-41239)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to VMware ESXi 7.0 Update 3w, 8.0 Update 2e, or 8.0 Update 3f or later.

See Also

http://www.nessus.org/u?98207605

Plugin Details

Severity: Critical

ID: 242168

File Name: vmware_esxi_vmsa-2025-0013.nasl

Version: 1.1

Type: remote

Family: Misc.

Published: 7/16/2025

Updated: 7/16/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

CVSS v2

Risk Factor: High

Base Score: 7.2

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-41236

CVSS v3

Risk Factor: Critical

Base Score: 9.3

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/o:vmware:esxi

Required KB Items: Host/VMware/release, Host/VMware/vsphere

Patch Publication Date: 7/15/2025

Vulnerability Publication Date: 7/15/2025

Reference Information

CVE: CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, CVE-2025-41239