Broadcom has issued security updates to address five vulnerabilities affecting VMware Aria Operations and Aria Operations for Logs. They caution customers that these flaws could be exploited by attackers to gain elevated access or access sensitive information.
Here’s a list of the identified vulnerabilities, which affect versions 8.x of the software:
- CVE-2025-22218 (CVSS score: 8.5) – An attacker with View Only Admin permissions might be able to read the credentials of a VMware product that is integrated with VMware Aria Operations for Logs.
- CVE-2025-22219 (CVSS score: 6.8) – An attacker with non-administrative privileges could potentially inject a malicious script, leading to arbitrary operations as an admin user through a stored cross-site scripting (XSS) attack.
- CVE-2025-22220 (CVSS score: 4.3) – An attacker with non-administrative privileges and network access to the Aria Operations for Logs API may be able to perform certain actions in the context of an admin user.
- CVE-2025-22221 (CVSS score: 5.2) – An attacker with admin privileges to VMware Aria Operations for Logs could inject a malicious script that might execute in a victim’s browser when a delete action is performed in the Agent Configuration.
- CVE-2025-22222 (CVSS score: 7.7) – A malicious user with non-administrative privileges may exploit this vulnerability to retrieve credentials for an outbound plugin if they know a valid service credential ID.
Security researchers Maxime Escourbiac from Michelin CERT, along with Yassine Bengana and Quentin Ebel from Abicom, have been instrumental in detecting and reporting these vulnerabilities. It’s important to highlight that this same team identified two additional issues in the same product (CVE-2024-38832 and CVE-2024-38833) in late November 2024.
1All the vulnerabilities mentioned have been addressed in VMware Aria Operations and Aria Operations for Logs version 8.18.3. The virtualization services provider has not indicated that these issues have been exploited in the wild.
This advisory was released just days after Broadcom alerted users to a high-severity security flaw in VMware Avi Load Balancer (CVE-2025-22217, CVSS score: 8.6), which could potentially be exploited by malicious actors to gain access to databases.
