A serious security vulnerability has been discovered in VMware Avi Load Balancer that could allow attackers to gain unauthorized access to databases, Broadcom announced on Tuesday.
The vulnerability, identified as CVE-2025-22217, received a high severity rating with a CVSS score of 8.6. Security researchers Daniel Kukuczka and Mateusz Darda uncovered the flaw, which stems from an unauthenticated blind SQL injection issue.
According to Broadcom's advisory, malicious actors with network access could potentially exploit this weakness by crafting specialized SQL queries to breach database security.
The affected software versions include:
- VMware Avi Load Balancer 30.1.1
- VMware Avi Load Balancer 30.1.2
- VMware Avi Load Balancer 30.2.1
- VMware Avi Load Balancer 30.2.2
Broadcom has released patches to address this vulnerability:
- Version 30.1.1 users must upgrade to 30.1.2 before applying patch 30.1.2-2p2
- Version 30.1.2 users should apply patch 30.1.2-2p2
- Version 30.2.1 users should apply patch 30.2.1-2p5
- Version 30.2.2 users should apply patch 30.2.2-2p2
The company noted that older versions 22.x and 21.x are not affected by this vulnerability. Since no temporary fixes are available, users are strongly advised to update their systems to the latest patched versions to protect against potential attacks.