This article outlines the potential effects of two Apache Tomcat vulnerabilities, CVE-2025-31651 and CVE-2025-31650, on vSphere environments, specifically targeting vCenter Server and VMware ESXi.

vCenter Server:

• 8.0.x
• 7.0.x

VMware ESXi:

• 8.0.x
• 7.0.x

CVE-2025-31651:

• The VMware Security Team assessed this vulnerability as non-critical, with a CVSS score of 8.1. Product teams have been notified to integrate the updated Apache Tomcat version if their configurations use rewrite rules as described in the advisory.
  Reference: GitHub Commit

CVE-2025-31650:

• ESXi doesn't contain Tomcat, therefore it's not affected.
• This vulnerability is also classified as non-critical by VMware. Affected product teams will incorporate fixes in their next scheduled releases.

These CVEs are not included in the VMware Security Advisories (VMSA).

For official security updates, refer to VMware Security Advisories.