Vhtforums
AI Assistant
High-Severity SQL I...
 
Notifications
Clear all

High-Severity SQL Injection Vulnerability in VMware Avi Load Balancer

1 Posts
1 Users
0 Reactions
1,186 Views
Brandon Lee
Posts: 696
Admin
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
(@brandon-lee)
Member
Joined: 16 years ago
[#392]

If you are running the Broadcom/VMware Avi Load Balancer, which is commonly used with the VMware Tanzu solution for Kubernetes. As you can see below, you can select the Avi load balancer when enabling VMware Tanzu workload cluster in VMware vSphere:

selecting avi loadbalancer in vmware tanzu kubernetes workload configuration

You need to take note of a serious vulnerability tracked by the CVE-2025-22217. The CVSS score is 8.6. It is described as:

  • Unauthenticated blind SQL injection

What can an attacker do? 

  • An attacker with network access can use a specially crafted SQL query to gain database access to your AVI Load Balancer

You can read more specifics of the attack here directly from the Broadcom security advisory: Support Content Notification.

What do users need to do to remediate the SQL injection vulnerability? Apply the patches listed in the below response matrix. This information comes directly from the Broadcom security advisory page.

Response Matrix:

Product Version Running On CVE CVSSv3 Severity Fixed Version Workarounds Additional Documents
VMware Avi Load Balancer 30.1.1 Any CVE-2025-22217 8.6 Important 30.1.2-2p2  None None
VMware Avi Load Balancer 30.1.2 Any CVE-2025-22217 8.6 Important 30.1.2-2p2  None None
VMware Avi Load Balancer 30.2.1 Any CVE-2025-22217 8.6 Important 30.2.1-2p5  None None
VMware Avi Load Balancer 30.2.2 Any CVE-2025-22217 8.6 Important 30.2.2-2p2  None None