CVE-2025-22217

Avi Load Balancer contains an unauthenticated blind SQL Injection vulnerability which was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products. A malicious user with network access may be able to use specially crafted SQL queries to gain database access.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25346

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Avi Load Balancer contiene una vulnerabilidad de inyección SQL ciega no autenticada que se informó de forma privada a VMware. Hay parches disponibles para solucionar esta vulnerabilidad en los productos VMware afectados. Un usuario malintencionado con acceso a la red podría utilizar consultas SQL especialmente manipuladas para obtener acceso a la base de datos.

28 Jan 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-28 19:15

Updated : 2026-06-17 08:45

NVD link : CVE-2025-22217

Mitre link : CVE-2025-22217

CVE.ORG link : CVE-2025-22217

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-22217", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-22217", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2025-01-29T04:55:31.130108Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security@vmware.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security@vmware.com", "affectedData": [{"vendor": "N/A", "product": "VMware AVI Load Balancer", "versions": [{"status": "affected", "version": "VMware AVI Load Balancer 30.1.x and VMware AVI Load Balancer 30.2.x and"}], "defaultStatus": "unaffected"}]}], "published": "2025-01-28T19:15:14.640", "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25346", "source": "security@vmware.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@vmware.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Avi Load Balancer contains an unauthenticated blind SQL Injection vulnerability which was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.\u00a0\n\nA malicious user with network access may be able to use specially crafted SQL queries to gain database access."}, {"lang": "es", "value": "Avi Load Balancer contiene una vulnerabilidad de inyecci\u00f3n SQL ciega no autenticada que se inform\u00f3 de forma privada a VMware. Hay parches disponibles para solucionar esta vulnerabilidad en los productos VMware afectados. Un usuario malintencionado con acceso a la red podr\u00eda utilizar consultas SQL especialmente manipuladas para obtener acceso a la base de datos."}], "lastModified": "2026-06-17T08:45:39.987", "sourceIdentifier": "security@vmware.com"}