VMSA-2025-0002 | VMware Avi Load Balancer

By Lerpong Intaraworrapath | March 18th, 2025

VMSA-2025-0002: VMware Avi Load Balancer addresses an unauthenticated blind SQL Injection vulnerability (CVE-2025-22217)

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25346

Advisory ID:	VMSA-2025-0002
Severity:	Important
CVSSv3 Range:	8.6
Synopsis:	VMware Avi Load Balancer addresses an unauthenticated blind SQL Injection vulnerability (CVE-2025-22217)
Issue date:	2025-01-28
Updated on:	2025-01-28 (Initial Advisory)
CVE(s)	CVE-2025-22217

Impacted Products:

VMware Avi Load Balancer

Introduction:

Avi Load Balancer contains an unauthenticated blind SQL Injection vulnerability which was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.

Description:

VMware AVI Load Balancer contains an unauthenticated blind SQL Injection vulnerability. VMware has evaluated the severity of the issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6.

Know Attack Vectors:

A malicious user with network access may be able to use specially crafted SQL queries to gain database access.

Resolution:

To remediate CVE-2025-22217 apply the patches to the Avi Controller listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Response Matrix:

Product	Version	Running On	CVE	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documents
VMware Avi Load Balancer	30.1.1	Any	CVE-2025-22217	8.6	Important	30.1.2-2p2	None	None
VMware Avi Load Balancer	30.1.2	Any	CVE-2025-22217	8.6	Important	30.1.2-2p2	None	None
VMware Avi Load Balancer	30.2.1	Any	CVE-2025-22217	8.6	Important	30.2.1-2p5	None	None
VMware Avi Load Balancer	30.2.2	Any	CVE-2025-22217	8.6	Important	30.2.2-2p2	None	None