Critical VMware Avi Load Balancer Flaws Let Attackers Bypass Authentication
Key Takeaways Multiple critical vulnerabilities have been uncovered in VMware’s Avi Load Balancer, including an unauthenticated SQL injection flaw. The most severe vulnerability, CVE-2025-22217...
Key Takeaways
- Multiple critical vulnerabilities have been uncovered in VMware’s Avi Load Balancer, including an unauthenticated SQL injection flaw.
- The most severe vulnerability, CVE-2025-22217 (CVSSv3 8.6), allows attackers to bypass authentication and access underlying databases.
- Affected versions include 30.1.1, 30.1.2, 30.2.1, and 30.2.2, with patches now available.
- The flaws could lead to full system compromise, sensitive data exposure, and privilege escalation if exploited.
Critical Flaws in VMware Avi Load Balancer Expose Databases, Bypass Authentication
Broadcom-owned VMware has issued an urgent security advisory regarding several significant vulnerabilities within its Avi Load Balancer platform, formerly known as NSX Advanced Load Balancer. These flaws collectively enable threat actors to circumvent authentication mechanisms and gain unauthorized access to critical database information through specially crafted SQL queries.
Table Of Content
The most pressing of these issues, identified as CVE-2025-22217, carries a high CVSSv3 score of 8.6. This particular vulnerability requires no prior authentication or user interaction for successful exploitation, making it a significant threat to affected systems.
Unauthenticated SQL Injection Poses Major Risk
At the core of the critical concern is an unauthenticated blind SQL injection vulnerability, stemming from inadequate input sanitization within the Avi Load Balancer’s controller components. An attacker with basic network access can exploit this flaw by sending malicious SQL queries, thereby bypassing login credentials and extracting sensitive data from the backend database.
A related, though less severe, vulnerability, CVE-2025-41233 (CVSSv3 6.8), involves an authenticated blind SQL injection. This flaw permits an authenticated user with network access to similarly manipulate SQL queries, though it demands higher privileges to trigger an exploit.
Further compounding the risk landscape are two additional vulnerabilities previously disclosed: CVE-2024-22264 and CVE-2024-22266. CVE-2024-22264, a privilege escalation bug with a CVSSv3 score of 7.2, allows an attacker with administrative privileges to create, modify, or delete files as the root user on the host system. CVE-2024-22266, an information disclosure flaw rated 6.5, exposes cloud connection credentials in plaintext within system logs.
These vulnerabilities, when chained together, present a formidable attack vector. An initial authentication bypass could lead to data exposure and subsequent privilege escalation, particularly in environments with poor network segmentation.
Affected Versions and Patching Information
The following table outlines the specific CVEs, their types, CVSS scores, and the affected and fixed versions:
| CVE ID | Vulnerability Type | CVSS Score | Affected Versions | Fixed Version |
|---|---|---|---|---|
| CVE-2025-22217 | Unauthenticated blind SQL injection | 8.6 | 30.1.1, 30.1.2, 30.2.1, 30.2.2 | 30.1.2-2p2, 30.2.1-2p5, 30.2.2-2p2 |
| CVE-2025-41233 | Authenticated blind SQL injection | 6.8 | 30.x, 22.x branches | Refer to VMSA-2025-0011 |
| CVE-2024-22264 | Privilege escalation (root file access) | 7.2 | 30.x.x, 22.1.x | 30.2.1, 22.1.6 |
| CVE-2024-22266 | Plaintext credential disclosure in logs | 6.5 | 30.x.x | 30.2.1 |
It is important to note that the 21.x and 22.x branches are not affected by CVE-2025-22217. Organizations running version 30.1.1 must first upgrade to 30.1.2 before applying the necessary security patch.
Load balancers like the Avi platform are strategically positioned at the network edge, managing traffic for critical applications. The presence of an authentication bypass vulnerability in such a crucial component is particularly alarming, as a single compromised instance could expose entire backend databases and credentials across an organization’s application delivery infrastructure.
Security researchers Daniel Kukuczka and Mateusz Darda are credited with responsibly disclosing the primary SQL injection flaw. Broadcom confirmed that, as of the disclosure date, there was no evidence of public proof-of-concept exploits or active exploitation in the wild.
What You Should Do
- Immediately apply Broadcom’s patched builds, as no workarounds are available for CVE-2025-22217.
- If running version 30.1.1, upgrade to 30.1.2 before applying the 2p2 patch.
- Restrict network access to Avi controller management interfaces, allowing connections only from trusted administrative network segments.
- Conduct thorough audits of system logs for any exposed cloud credentials related to CVE-2024-22266 and promptly rotate any secrets that may have been compromised.
- Review and adjust administrative account privileges to minimize the potential impact of the CVE-2024-22264 privilege escalation vulnerability.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.