VMSA-2025-0002: VMware Avi Load Balancer addresses an unauthenticated blind SQL Injection vulnerability (CVE-2025-22217)
25346
31 January 2025
28 January 2025
OPEN
HIGH
8.6
CVE-2025-22217
|
Advisory ID: |
VMSA-2025-0002 |
|
Severity: |
Important |
|
CVSSv3 Range: |
8.6 |
|
Synopsis: |
VMware Avi Load Balancer addresses an unauthenticated blind SQL Injection vulnerability (CVE-2025-22217) |
|
Issue date: |
2025-01-28 |
|
Updated on: |
2025-01-28 (Initial Advisory) |
|
CVE(s) |
CVE-2025-22217 |
1. Impacted Products
- VMware Avi Load Balancer
2. Introduction
Avi Load Balancer contains an unauthenticated blind SQL Injection vulnerability which was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.
3. VMware Avi Load Balancer Blind SQL Injection vulnerability (CVE-2025-22217)
Description:
VMware AVI Load Balancer contains an unauthenticated blind SQL Injection vulnerability. VMware has evaluated the severity of the issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6.
Known Attack Vectors:
A malicious user with network access may be able to use specially crafted SQL queries to gain database access.
Resolution:
To remediate CVE-2025-22217 apply the patches to the Avi Controller listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Daniel Kukuczka and Mateusz Darda for reporting this issue to us.
Notes:
None.
Response Matrix:
| Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documents |
| VMware Avi Load Balancer | 30.1.1 | Any | CVE-2025-22217 | 8.6 | Important | 30.1.2-2p2 | None | None |
| VMware Avi Load Balancer | 30.1.2 | Any | CVE-2025-22217 | 8.6 | Important | 30.1.2-2p2 | None | None |
| VMware Avi Load Balancer | 30.2.1 | Any | CVE-2025-22217 | 8.6 | Important | 30.2.1-2p5 | None | None |
| VMware Avi Load Balancer | 30.2.2 | Any | CVE-2025-22217 | 8.6 | Important | 30.2.2-2p2 | None | None |
4. References:
Fixed Version(s) and Release Notes:
30.1.1/30.1.2
30.2.1
30.2.2
Additional Documentation:
Version 22.x and 21.x are not vulnerable.
Version 30.1.1 must be upgraded to 30.1.2 or later before the patch can be applied.
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22217
FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
5. Change Log:
2025-01-28: VMSA-2025-0002
Initial security advisory.
6. Contact:
E-mail: [email protected]
PGP key
https://knowledge.broadcom.com/external/article/321551
VMware Security Advisories
https://www.broadcom.com/support/vmware-security-advisories
VMware External Vulnerability Response and Remediation Policy
https://www.broadcom.com/support/vmware-services/security-response
VMware Lifecycle Support Phases
https://support.broadcom.com/group/ecx/productlifecycle
VMware Security Blog
https://blogs.vmware.com/security
Copyright 2025 Broadcom All rights reserved.