CVE-2025-41238 VMware CVE debrief

Who should care

Organizations using Rockwell Automation offerings that embed or depend on VMware components, especially Industrial Data Center (IDC) with VMware, VersaVirtual Appliance (VVA) with VMware, Threat Detection Managed Services (TDMS) with VMware, Endpoint Protection Service with Rockwell Automation Proxy & VMware only, and Engineered and Integrated Solutions with VMware. VMware administrators responsible for ESXi hosts, and teams running VMware Workstation or Fusion in exposed or high-trust environments, should also prioritize review.

Technical summary

The source advisory describes a heap-overflow condition in VMware’s PVSCSI controller that can result in an out-of-bounds write. The reported impact is host code execution, which is why the CVSS 3.1 score is 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Rockwell’s CSAF record ties the issue to affected Rockwell service/product bundles and points customers to Broadcom release notes for fixed ESXi builds (including 8.0U3f, 8.0U2e, and 7.0U3w) or to Rockwell support/advisory channels when managed services are in scope.

Defensive priority

High. This is a critical host-impacting vulnerability with code-execution potential. Patch and validate affected VMware components promptly, particularly where Rockwell-managed environments depend on embedded VMware infrastructure.

Recommended defensive actions

• Identify whether any Rockwell Automation deployment uses the affected VMware-backed offerings listed in the advisory.
• If you have an active Rockwell Automation Infrastructure Managed Service or Threat Detection Managed Service contract, engage Rockwell for remediation steps.
• If you do not have a managed services contract, follow the Broadcom/VMware advisories referenced by Rockwell and apply the corrected ESXi releases called out in the source corpus.
• Review whether VMware Workstation or Fusion instances in your environment use affected versions and update them through official vendor guidance.
• Limit unnecessary access to virtualization management interfaces and apply standard defense-in-depth controls while patching is underway.
• Verify remediation by checking installed versions against vendor release notes and change records.

Evidence notes

The source corpus states that the vulnerability is a heap overflow in VMware’s PVSCSI controller and that exploitation can lead to host code execution. Rockwell Automation’s CSAF advisory (ICSA-25-212-02) lists five affected VMware-based Rockwell offerings and recommends Broadcom advisories for customers without a Rockwell managed-services contract. The corpus also includes Rockwell remediation references to Broadcom ESXi release notes for 8.0U3f, 8.0U2e, and 7.0U3w. No KEV entry or ransomware-campaign linkage is present in the supplied data.

Official resources