Broadcom has alerted of a high-severity security flaw in VMware Avi Load Balancer that could be weaponized by malicious actors to gain entrenched database access.
The vulnerability, tracked as CVE-2025-22217 (CVSS score: 8.6), has been described as an unauthenticated blind SQL injection.
“A malicious user with network access may be able to use specially crafted SQL queries to gain database access,” the company said in an advisory issued Tuesday.
Security researchers Daniel Kukuczka and Mateusz Darda have been acknowledged for discovering and reporting the vulnerability.
It affects the following version of the software –
- VMware Avi Load Balancer 30.1.1 (Fixed in 30.1.2-2p2)
- VMware Avi Load Balancer 30.1.2 (Fixed in 30.1.2-2p2)
- VMware Avi Load Balancer 30.2.1 (Fixed in 30.2.1-2p5)
- VMware Avi Load Balancer 30.2.2 (Fixed in 30.2.2-2p2)
Broadcom further noted that versions 22.x and 21.x are not susceptible to CVE-2025-22217, and that users running version 30.1.1 must first upgrade to 30.1.2 or later before applying the patch.
There are no workarounds that address the shortcoming, necessitating that customers update their instances to the latest version for optimal protection.
