A significant security vulnerability has recently been discovered in the VMware Avi Load Balancer, identified as CVE-2025-22217 with a high CVSS score of 8.6. This revelation has raised considerable concerns about potential unauthorized access to sensitive data through exploiting this flaw. Broadcom issued an alert regarding this unauthenticated blind SQL injection vulnerability, which allows attackers to gain access to the database by sending specially crafted SQL queries. Such vulnerabilities pose a severe risk as they can be exploited without any authentication, making it possible for an attacker to manipulate or extract data from the affected systems.
The affected versions of the VMware Avi Load Balancer include 30.1.1, 30.1.2, 30.2.1, and 30.2.2. To address this critical issue, Broadcom released fixed versions as 30.1.2-2p2, 30.2.1-2p5, and 30.2.2-2p2. For users currently operating on version 30.1.1, it is essential to upgrade to version 30.1.2 or later before applying the patch. It is crucial to note that versions 22.x and 21.x are not affected by this vulnerability, offering some relief for users with older deployments. Broadcom’s advisory strongly urges customers to update to the latest version as no workarounds are available, underscoring the importance of safeguarding systems through timely updates.
The discovery of this flaw has been credited to security researchers Daniel Kukuczka and Mateusz Darda, highlighting the ongoing efforts in the cybersecurity field to identify and rectify potential threats. Broadcom’s prompt action and detailed advisory reflect the critical need for vigilance and prompt action in the realm of software security. As malicious actors continuously develop sophisticated methods to exploit vulnerabilities, it becomes increasingly essential for organizations to maintain up-to-date security measures. Ignoring such updates could result in severe data breaches, loss of sensitive information, and significant operational disruptions.