Critical SQL Injection Flaw in VMware Load Balancer Puts Database Access at Risk

Critical SQL Injection Flaw in VMware Load Balancer Puts Database Access at Risk

Critical Security Vulnerability Discovered in VMware Avi Load Balancer

Broadcom has disclosed a significant security vulnerability (CVE-2025-22217) affecting VMware Avi Load Balancer, carrying a high-severity CVSS score of 8.6. The flaw, identified as an unauthenticated blind SQL injection, enables malicious actors with network access to execute specially crafted SQL queries, potentially compromising database security.

Affected Versions and Fixes:
– VMware Avi Load Balancer 30.1.1 (Patch: 30.1.2-2p2)
– VMware Avi Load Balancer 30.1.2 (Patch: 30.1.2-2p2)
– VMware Avi Load Balancer 30.2.1 (Patch: 30.2.1-2p5)
– VMware Avi Load Balancer 30.2.2 (Patch: 30.2.2-2p2)

Important Notes:
– Versions 22.x and 21.x are not affected
– Version 30.1.1 users must upgrade to 30.1.2 or later before applying the security patch
– No alternative workarounds are available
– Immediate update to the latest version is recommended for security

Credit for discovering this vulnerability goes to security researchers Daniel Kukuczka and Mateusz Darda.

Share This Article