VMSA-2025-0011: VMware Avi Load Balancer addresses an authenticated blind SQL Injection vulnerability (CVE-2025-41233)
|
Advisory ID: |
VMSA-2025-0011 |
|
Severity: |
MODERATE |
|
CVSSv3 Range: |
6.8 |
|
Synopsis: |
VMware Avi Load Balancer addresses an authenticated blind SQL Injection vulnerability (CVE-2025-41233) |
|
Issue date: |
2025-05-22 |
|
Updated on: |
2025-05-22 (Initial Advisory) |
|
CVE(s) |
CVE-2025-41233 |
1. Impacted Products
- VMware Avi Load Balancer
2. Introduction
Avi Load Balancer contains an authenticated blind SQL Injection vulnerability, which was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.
3. VMware Avi Load Balancer Blind SQL Injection vulnerability (CVE-2025-41233)
Description:
VMware AVI Load Balancer contains an authenticated blind SQL Injection vulnerability. VMware has evaluated the severity of the issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.8.
Known Attack Vectors:
An authenticated malicious user with network access may be able to use specially crafted SQL queries to gain database access.
Resolution:
To remediate CVE-2025-41233 apply the patches to the Avi Controller listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Alexandru Copaceanu for reporting this issue to us.
Notes:
None.
Response Matrix:
| Product | Version | Running On | CVE | CVSSv4 | Severity | Fixed Version | Workarounds | Additional Documents |
| VMware Avi Load Balancer | 30.1.1 | Any | CVE-2025-41233 | 6.8 | Moderate | 30.1.2-2p3 | None | None |
| VMware Avi Load Balancer | 30.1.2 | Any | CVE-2025-41233 | 6.8 | Moderate | 30.1.2-2p3 | None | None |
| VMware Avi Load Balancer | 30.2.1 | Any | CVE-2025-41233 | 6.8 | Moderate | 30.2.1-2p6 | None | None |
| VMware Avi Load Balancer | 30.2.2 | Any | CVE-2025-41233 | 6.8 | Moderate | 30.2.2-2p5 | None | None |
| VMware Avi Load Balancer | 30.2.3 | Any | CVE-2025-41233 | N/A | N/A | Unaffected | None | None |
| VMware Avi Load Balancer | 31.1.1 | Any | CVE-2025-41233 | 6.8 | Moderate | 31.1.1-2p2 | None | None |
4. References:
Fixed Version(s) and Release Notes:
30.1.1/30.1.2
30.2.1
30.2.2
30.2.3
31.1.1
Additional Documentation:
Version 22.x and 21.x are not vulnerable.
Version 30.1.1 must be upgraded to 30.1.2 or later before the patch can be applied.
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-41233
FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
5. Change Log:
2025-05-22: VMSA-2025-0011
Initial security advisory.
2025-05-27: Marking 30.2.3 as unaffected. Previously, this was unclear, since 30.2.3 already contains the fix as mentioned in the release notes.
6. Contact:
E-mail: [email protected]
PGP key
https://knowledge.broadcom.com/external/article/321551
VMware Security Advisories
https://www.broadcom.com/support/vmware-security-advisories
VMware External Vulnerability Response and Remediation Policy
https://www.broadcom.com/support/vmware-services/security-response
VMware Lifecycle Support Phases
https://support.broadcom.com/group/ecx/productlifecycle
VMware Security Blog
https://blogs.vmware.com/security
Copyright 2025 Broadcom All rights reserved.