CVE-2025-22243: VMware NSX Manager Stored XSS Vulnerability

CVE-2025-22243 Overview

VMware NSX Manager UI is vulnerable to a stored Cross-Site Scripting (XSS) attack due to improper input validation. This vulnerability allows attackers with high privileges to inject malicious scripts that persist in the application and execute in the browsers of other users who view the affected content. The stored nature of this XSS vulnerability makes it particularly dangerous as the malicious payload remains embedded in the system, potentially affecting multiple users over time.

Critical Impact

Attackers with administrative access can inject persistent malicious scripts into the NSX Manager interface, potentially leading to credential theft, session hijacking, and unauthorized actions performed on behalf of legitimate users across the virtualized network infrastructure.

Affected Products

• Broadcom VMware NSX (including version 4.2.2)
• VMware Cloud Foundation
• VMware Telco Cloud Infrastructure
• VMware Telco Cloud Platform

Discovery Timeline

• 2025-06-04 - CVE-2025-22243 published to NVD
• 2025-07-14 - Last updated in NVD database

Technical Details for CVE-2025-22243

Vulnerability Analysis

This stored Cross-Site Scripting vulnerability exists within the VMware NSX Manager user interface component. The root cause is insufficient input validation and output encoding when processing user-supplied data. When a privileged user submits specially crafted input containing JavaScript code, the application fails to properly sanitize this input before storing it in the database and subsequently rendering it to other users.

The attack requires network access and high privileges to execute, but once the malicious payload is stored, it can affect users who simply view the compromised content. The changed scope indicator means that the vulnerability can impact resources beyond the vulnerable component itself, potentially affecting the integrity of the entire management interface and the trust relationship between administrators and the system.

Root Cause

The vulnerability stems from improper input validation (CWE-79) in the NSX Manager UI. The application fails to adequately sanitize user input before storing it and does not properly encode output when rendering stored content back to users. This allows JavaScript code to be embedded in input fields and executed in the context of other users' browser sessions when they access the affected interface elements.

Attack Vector

The attack vector is network-based, requiring an authenticated attacker with high privileges (such as administrator access) to exploit the vulnerability. The attacker must craft a malicious payload containing JavaScript code and submit it through an input field in the NSX Manager UI that stores the data without proper sanitization.

When another user—including other administrators—accesses the page containing the stored malicious content, the script executes in their browser session. This can lead to session token theft, credential harvesting through phishing overlays, modification of displayed data, or execution of unauthorized administrative actions.

The stored XSS vulnerability exploits the trust users place in the VMware NSX Manager interface. Since the malicious script is served from the legitimate application origin, it bypasses same-origin policy protections and can access sensitive data within the application context, including authentication tokens and session cookies.

Detection Methods for CVE-2025-22243

Indicators of Compromise

• Unexpected JavaScript code or HTML tags appearing in NSX Manager configuration fields or log entries
• Unusual network requests originating from the NSX Manager interface to external domains
• Reports from users of unexpected browser behavior or popups when accessing NSX Manager
• Authentication tokens or session cookies being transmitted to unauthorized endpoints

Detection Strategies

• Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads in requests to NSX Manager
• Review NSX Manager audit logs for unusual input patterns containing script tags or event handlers
• Deploy browser-based security monitoring to detect script injection attacks
• Conduct periodic security scans of stored data in NSX Manager for embedded malicious content

Monitoring Recommendations

• Enable detailed logging for all administrative actions within VMware NSX Manager
• Monitor for Content Security Policy (CSP) violations that may indicate XSS exploitation attempts
• Implement alerting for unusual patterns in NSX Manager API calls or interface interactions
• Review network traffic from NSX Manager hosts for connections to unexpected external destinations

How to Mitigate CVE-2025-22243

Immediate Actions Required

• Apply the security patches provided by Broadcom immediately for all affected VMware NSX deployments
• Restrict administrative access to NSX Manager to only essential personnel
• Review stored data and configurations in NSX Manager for signs of embedded malicious scripts
• Implement additional network segmentation to limit exposure of management interfaces

Patch Information

Broadcom has released security patches to address this vulnerability. Organizations should consult the Broadcom Security Advisory for detailed patch information and update instructions. Apply patches to all affected products including VMware NSX, Cloud Foundation, Telco Cloud Infrastructure, and Telco Cloud Platform deployments.

Workarounds

• Limit network access to NSX Manager UI to trusted networks and IP ranges only
• Implement Content Security Policy (CSP) headers at the network perimeter to mitigate XSS impact
• Conduct regular audits of administrative accounts and reduce the number of high-privilege users
• Enable multi-factor authentication for all NSX Manager administrative access to reduce the risk of compromised credentials being exploited

# Example: Restrict access to NSX Manager at the firewall level
# Only allow connections from trusted management network
iptables -A INPUT -p tcp --dport 443 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP