VMware Aria Operations: Attackers can read out access data

Broadcom warns of five vulnerabilities in VMware Aria Operations for Logs and VMware Aria Operations as well as VMware Cloud Foundation. Attackers can gain unauthorized access to information and thus spy out access data, for example, and thus cause further damage.

In the security advisory, the VMware developers write that malicious actors with read-only admin rights can read the credentials of VMware products stored in VMware Aria Operations for Logs (CVE-2025-22218, CVSS 8.5, risk"high"). In addition, attackers with non-administrative privileges can abuse an information leak to obtain credentials for a plug-in if they know a valid service access ID (CVE-2025-22222, CVSS 7.7,"high").

Further vulnerabilities in VMware Aria Operations

Broadcom also reports a stored cross-site scripting vulnerability in VMware Operations for Logs, which allows attackers to inject malicious scripts that can perform arbitrary operations as admin (CVE-2025-22219, CVSS 6.8, medium). A similar vulnerability allows attackers with admin privileges to inject a script into victims' browsers, which is executed when they initiate a delete operation in the agent configuration (CVE-2025-22221, CVSS 5.2, medium). Finally, due to broken privilege checks, non-administrative user accounts with network access to the Aria Operations for Logs API can perform some tasks in the context of an admin user (CVE-2025-22220, CVSS 4.3, medium).

The vulnerabilities close VMware Aria for Operations and VMware Aria for Operations for Logs with version 8.18.3. Updates for VMware Cloud Foundation 4.x and 5.x were already made available on Thursday, which can be rolled out with the VMware Aria Suite Lifecycle Manager.

It was only on Wednesday of this week that Broadcom had VMware administrators on edge. A high-risk vulnerability in the Avi Load Balancer allowed attackers to send commands to the database via SQL injection and gain unauthorized access to it.

(dmk)