VMSA-2025-0001: VMware Aria automation update addresses a server side request forgery vulnerability (CVE-2025-22215)
| Advisory ID: |
VMSA-2025-0001 |
| Advisory Severity: | Moderate |
| CVSSv3 Range: | 4.3 |
| Synopsis: | VMware Aria Automation update addresses a server side request forgery vulnerability (CVE-2025-22215) |
| Issue date: |
2025-01-07 |
| Updated on: |
2025-01-07 |
| CVE(s) | CVE-2025-22215 |
1. Impacted Products
- VMware Aria Automation
- VMware Cloud Foundation
2. Introduction
A server-side request forgery (SSRF) vulnerability in VMware Aria Automation was responsibly reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.
3. VMware Aria Automation SSRF vulnerability (CVE-2025-22215)
Description:
VMware Aria Automation contains a server-side request forgery (SSRF) vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.3.
Known Attack Vectors:
A malicious actor with "Organization Member" access to Aria Automation may exploit this vulnerability enumerate internal services running on the host/network.
Resolution:
To remediate CVE-2025-22215 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Bartosz Reginiak for reporting this issue to us.
Notes:
None.
Response Matrix:
| Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Versions | Workarounds | Additional Documentats |
| VMware Aria Automation | 8.x | Any | CVE-2025-22215 | 4.3 | Moderate | 8.18.1 patch 1 | None | None |
| VMware Cloud Foundation | 5.x, 4.x | Any | CVE-2025-22215 | 4.3 | Moderate | KB 385294 | None | None |
4. References:
Fixed Version(s) and Release Notes:
https://support.
Additional Documentation:
None.
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22215
FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
5. Change Log:
2025-01-07 : VMSA-2025-0001
Initial security advisory.
6. Contact:
E-mail: [email protected]
PGP key
https://knowledge.broadcom.com/external/article/321551
VMware Security Advisories
https://www.broadcom.com/support/vmware-security-advisories
VMware External Vulnerability Response and Remediation Policy
https://www.broadcom.com/support/vmware-services/security-response
VMware Lifecycle Support Phases
https://support.broadcom.com/group/ecx/productlifecycle
VMware Security Blog
https://blogs.vmware.com/security
X
https://x.com/VMwareSRC
Copyright 2025 Broadcom All rights reserved.