Critical SQL Injection Vulnerability Exposes VMware Avi Load Balancer

A serious SQL injection vulnerability has been identified in VMware's Avi Load Balancer, raising significant concerns about potential unauthorized access to sensitive databases. Security experts from Broadcom have issued a warning regarding this critical security flaw, which could enable attackers to infiltrate systems without prior authentication.

According to the security advisory, this vulnerability, designated as CVE-2025-22217, has been assigned a CVSS score of 8.6, categorizing it as high risk. The nature of the flaw allows malicious users with network access to send specially crafted SQL queries, thereby gaining access to the underlying database. This capability could lead to further exploitation and damage.

Despite the seriousness of the vulnerability, VMware has not provided detailed information on the specific nature of the SQL queries that could be used in attacks or on potential interim mitigation strategies to minimize risks. The advisory hints at extensive database access possibilities, including potential access to user databases, which could facilitate even broader system breaches.

To remediate this vulnerability, VMware recommends that users promptly apply the available patches for Avi Load Balancer controllers. The patch version 30.1.2-2p2 addresses vulnerabilities for the affected versions 30.1.1 and 30.1.2. Additionally, VMware has released updated versions 30.2.1-2p5 and 30.2.2-2p2 that correct the security issues. Users currently on version 30.1.1 must first upgrade to version 30.1.2 or later before applying the patches.

In light of the increasing frequency of attacks targeting VMware products, security experts urge IT administrators to implement the updates without delay. Recent incidents have highlighted the vulnerabilities in VMware's vCenter Server, underscoring the critical need for vigilance in addressing security flaws.