Multiple vulnerabilities in VMware vCenter and NSX were privately reported to Broadcom. Updates are available to remediate these vulnerabilities in affected Broadcom products.
Multiple vulnerabilities in VMware Aria Operations and VMware Tools were privately reported to Broadcom. Patches are available to remediate these vulnerabilities in affected Broadcom products.
Multiple vulnerabilities in VMware ESXi, Workstation, Fusion, and Tools were privately reported to Broadcom. Updates are available to remediate these vulnerabilities in affected Broadcom products.
8.Once downloaded, use the Admin UI at https://your_ops_fqdn_here/admin. Navigate to Software Update – INSTALL A SOFTWARE UPDATE and point it to your APUAT pak file.
9.And then apply HF6 via the Software Update page, BROWSE to your file.
VMware Aria automation updates address a DOM based Cross-site scripting vulnerability (CVE-2025-22249)
Issue date:
2025-05-12
Updated on:
2025-05-12 (Initial Advisory)
CVE(s)
CVE-2025-22249
Impacted Products:
VMware Aria Automation
VMware Cloud Foundation
VMware Telco Cloud Platform
Introduction:
A DOM based Cross-Site Scripting (XSS) vulnerability in VMware Aria Automation was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.
DOM based Cross-site scripting(XSS) vulnerability (CVE-2025-22249)
Description:
VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.
Know Attack Vectors:
A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL.
Resolution:
To remediate CVE-2025-22249, apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Bartosz Reginiak for reporting this issue to us.
VMware Aria Operations updates address a local privilege escalation vulnerability (CVE-2025-22231)
Issue date:
2025-04-01
Updated on:
2025-04-01 (Initial Advisory)
CVE(s)
CVE-2025-22231
Impacted Products:
VMware Aria Operations
VMware Cloud Foundation
VMware Telco Cloud Platform
VMware Telco Cloud Infrastructure
Introduction:
A local privilege escalation vulnerability in VMware Aria Operations was responsibly reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.
Local Privilege escalation vulnerability (CVE-2025-22231)
Description:
VMware Aria Operations contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.
Known Attack Vectors:
A malicious actor with local administrative privileges can escalate their privileges to root on the appliance running VMware Aria Operations.
Resolution:
To remediate CVE-2025-22231 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank thiscodecc of MoyunSec Vlab and Bing for reporting this issue to us.
VMware Avi Load Balancer addresses an unauthenticated blind SQL Injection vulnerability (CVE-2025-22217)
Issue date:
2025-01-28
Updated on:
2025-01-28 (Initial Advisory)
CVE(s)
CVE-2025-22217
Impacted Products:
VMware Avi Load Balancer
Introduction:
Avi Load Balancer contains an unauthenticated blind SQL Injection vulnerability which was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.
Description:
VMware AVI Load Balancer contains an unauthenticated blind SQL Injection vulnerability. VMware has evaluated the severity of the issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6.
Know Attack Vectors:
A malicious user with network access may be able to use specially crafted SQL queries to gain database access.
Resolution:
To remediate CVE-2025-22217 apply the patches to the Avi Controller listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
VMware Aria Automation update addresses a server side request forgery vulnerability (CVE-2025-22215)
Issue date:
2025-01-07
Updated on:
2025-01-07
CVE(s)
CVE-2025022215
Impacted Products:
VMware Aria Automation
VMware Cloud Foundation
Introduction:
A server-side request forgery (SSRF) vulnerability in VMware Aria Automation was responsibly reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.
Descriptions:
VMware Aria Automation contains a server-side request forgery (SSRF) vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.3.
Known Attack Vectors:
A malicious actor with “Organization Member” access to Aria Automation may exploit this vulnerability enumerate internal services running on the host/network.
Resolution:
To remediate CVE-2025-22215 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
Multiple vulnerabilities in Aria Operations for Networks were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products
VMware Aria Operations for Logs (formerly vRealize Log Insight).
CVE(s)
CVE-2023-20864, CVE-2023-20865
Synopsis
VMware Aria Operations for Logs (Operations for Logs) update addresses multiple vulnerabilities. (CVE-2023-20864, CVE-2023-20865)
Introduction
Multiple vulnerabilities in VMware Aria Operations for Logs were privately reported to VMware. Updates and workarounds are available to address these vulnerabilities in affected VMware products
Response Matrix
Product
Version
Running On
Fixed Version
Workarounds
Additional Documentation
VMware Aria Operations for Logs (Operations for Logs)
