A Nessus scan identified CVE-2025-61984 and CVE-2025-61985 (OpenSSH < 10.1 / 10.1p1 RCE) on an environment VMware Cloud Director 10.x. The scanner recommended upgrading OpenSSH to version 10.1 or later. This document addresses whether this vulnerability affects VMware Cloud Director 10.x, and outlines the appropriate remediation path. The finding is related to a vulnerability scan, not a functional service impact. 

• The CVE in question carries a CVSS score of 3.6 (Low severity)

• For more information about this CVE, please refer to: CVE-2025-61984 Detail, CVE-2025-61985 Detail

Both CVEs are client-side vulnerabilities that require the use of the "ProxyCommand" directive in the SSH client configuration to be exploitable.

VMware Cloud Director 10.x

The OpenSSH version included with VMware Cloud Director 10.x is flagged as vulnerable because it is below version 10.1. However, OpenSSH 10.1 has not yet been integrated and tested with VMware Cloud Director 10.6.x.

VMware By Broadcom is aware of CVE-2025-61984 CVE-2025-61985.
Please refer to the release notes for existing and forthcoming product releases for any updates in relation to this CVE.
Should you require further information please contact Broadcom Support.