Broadcom has identified a significant security vulnerability in VMware Avi Load Balancer, designated as CVE-2025-22217, with a CVSS score of 8.6. This unauthenticated blind SQL injection flaw allows attackers with network access to execute specially crafted SQL queries, potentially granting unauthorized access to the system’s database.
The affected versions include:
- 30.1.1
- 30.1.2
- 30.2.1
- 30.2.2
To address this vulnerability, Broadcom has released patches for the impacted versions. Users are advised to upgrade to the following fixed versions:
- 30.1.2-2p2
- 30.2.1-2p5
- 30.2.2-2p2
It’s important to note that versions 22.x and 21.x are not susceptible to this vulnerability. For users on version 30.1.1, an upgrade to 30.1.2 or later is required before applying the patch.
Given the absence of workarounds, immediate application of these patches is crucial to mitigate potential risks. Organizations should also consider implementing network segmentation to restrict access to the Avi Load Balancer management interfaces and deploying web application firewalls with SQL injection detection rules enabled.
Security researchers Daniel Kukuczka and Mateusz Darda have been acknowledged for discovering and reporting this vulnerability.
This incident underscores the critical importance of timely vulnerability management and the need for organizations to stay vigilant against emerging threats. Regularly updating systems and applying security patches promptly are essential practices to safeguard against potential exploits.