VMware: High-risk SQL injection vulnerability compromises Avi Load Balancer

There is a vulnerability in VMware 's Avi Load Balancer that allows attackers to inject SQL commands. This allows them to access the database and cause further damage. An update is available.

In the security announcement, Broadcom writes that an SQL injection vulnerability without prior authentication has been discovered in Avi Load Balancer. The developers have evaluated the vulnerability and classified it as "important" –. However, the vulnerability CVE-2025-22217 has a CVSS score of 8.6 and is therefore at the upper end of the"high" risk category.

Hardly any information on potential attacks

"Malicious users with network access can send specially crafted SQL queries to gain database access," the developers merely explain. VMware does not describe exactly what such queries look like or how they can be filtered, or even other temporary countermeasures to mitigate the effects of the security leak.

Apparently, the potential database accesses are far-reaching, which suggests the risk classification. For example, it may also be possible to access the user database, which could provide further access – However, VMware leaves this in the dark.

VMware recommends installing the available patches for the Avi controllers to close the security gap. The version VMware Avi Load Balancer 30.1.2-2p2 plugs the leak for the vulnerable versions 301.1 and 301.2. VMware also provides the bug-fixed versions 30.2.1-2p5 and 30.2.2-2p2. The version branches 21.x and 22.x should not be vulnerable. Avi Load Balancer 30.1.1 must first be updated to 30.1.2 or newer, only then can the patch be applied.

VMware products are high on cybercriminals' list of software to attack. Around the middle of last November, attackers abused vulnerabilities in vCenter Server in the wild. IT managers should therefore apply the updates quickly.

(dmk)