VMSA-2025-0006 | VMware Aria Operations

By Lerpong Intaraworrapath | April 2nd, 2025

VMware Aria Operations updates address a local privilege escalation vulnerability (CVE-2025-22231)

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25541

Advisory ID: VMSA-2025-0006
Advisory Severity:Important
CVSSv3 Range:7.8
Synopsis:VMware Aria Operations updates address a local privilege escalation vulnerability (CVE-2025-22231)
Issue date:2025-04-01
Updated on:2025-04-01 (Initial Advisory)
CVE(s)CVE-2025-22231

Impacted Products:

  • VMware Aria Operations
  • VMware Cloud Foundation
  • VMware Telco Cloud Platform
  • VMware Telco Cloud Infrastructure

Introduction:

A local privilege escalation vulnerability in VMware Aria Operations was responsibly reported to VMware. Patches are available to remediate this vulnerability in affected VMware products. 

Local Privilege escalation vulnerability (CVE-2025-22231)

Description:

 VMware Aria Operations contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

Known Attack Vectors:

A malicious actor with local administrative privileges can escalate their privileges to root on the appliance running VMware Aria Operations.

Resolution:

To remediate CVE-2025-22231 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds:

None.

Additional Documentation:

None.

Acknowledgements:

VMware would like to thank thiscodecc of MoyunSec Vlab and Bing for reporting this issue to us.

Notes:

None.

Response Matrix:

ProductVersionRunning OnCVECVSSv3SeverityFixed VersionWorkaroundsAddition Documents
VMware Aria Operations8.xAny

CVE-2025-222317.8Important8.18 HF 5NoneNone
VMware Cloud Foundation5.x, 4.xAnyCVE-2025-222317.8ImportantKB articleNoneNone
VMware Telco Cloud Platform5.x, 4.x, 3.xAnyCVE-2025-222317.8Important8.18 HF 5NoneNone
VMware Telco Cloud Infrastructure3.x, 2.xAnyCVE-2025-222317.8Important8.18 HF 5NoneNone

References:

Fixed Version(s) and Release Notes:
Downloads and Documentation

Additional Documentation:

None.

Mitre CVE Dictionary Links:

https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Change Log:

2025-04-01: VMSA-2025-0006
Initial security advisory.

Noted:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25541