High-Severity Security Flaw in VMware Avi Load Balancer

Posted by Ravie Lakshmanan on January 29, 2025

Security Vulnerability Details

Security Flaw Description

Broadcom has alerted of a high-severity security flaw in VMware Avi Load Balancer that could be weaponized by malicious actors to gain entrenched database access. The vulnerability, tracked as CVE-2025-22217 (CVSS score: 8.6), has been described as an unauthenticated blind SQL injection.

Impact of the Vulnerability

"A malicious user with network access may be able to use specially crafted SQL queries to gain database access," the company said in an advisory issued Tuesday. Security researchers Daniel Kukuczka and Mateusz Darda have been acknowledged for discovering and reporting the vulnerability.

Affected Versions

The vulnerability affects the following version of the software:

• VMware Avi Load Balancer 30.1.1 (Fixed in 30.1.2-2p2)
• VMware Avi Load Balancer 30.1.2 (Fixed in 30.1.2-2p2)
• VMware Avi Load Balancer 30.2.1 (Fixed in 30.2.1-2p5)
• VMware Avi Load Balancer 30.2.2 (Fixed in 30.2.2-2p2)

Non-Affected Versions

Versions 22.x and 21.x are not susceptible to CVE-2025-22217.

Patch Requirements

Users running version 30.1.1 must first upgrade to 30.1.2 or later before applying the patch. There are no workarounds that address the shortcoming, necessitating that customers update their instances to the latest version for optimal protection.

Stay Informed

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.