Virtualization expertise large VMware on Tuesday issued an pressing alert for a blind SQL injection flaw in its Avi Load Balancer, warning that attackers would exploit the difficulty to achieve broader database entry.
The vulnerability, tracked as CVE-2025-22217, carries a CVSS severity rating of 8.6/10.
The corporate described the security defect as an unauthenticated blind SQL Injection vulnerability and urged enterprise admins to use accessible patches urgently as there aren’t any pre-patch workarounds.
A high-risk bulletin from VMware warned that “a malicious consumer with community entry could possibly use specifically crafted SQL queries to achieve database entry.”
The VMware Avi Load is broadly adopted to assist organizations distribute and handle incoming site visitors throughout a number of servers, making certain dependable efficiency for cloud and on-premises functions. Along with load balancing, it supplies net utility security and container ingress for cloud and datacenter functions.
The product is designed to work with conventional VM-based functions and container microservices.
VMware advises clients operating Avi Load Balancer variations 30.1.1, 30.1.2, 30.2.1, and 30.2.2 to shortly deploy accessible patches. Directors are really useful to improve to a minimum of model 30.1.2 or later earlier than making use of the patch in circumstances the place older releases are in place.
There are presently no recognized workarounds, making patching the one efficient treatment.
The vulnerability was privately reported to VMware. The corporate credit researchers Daniel Kukuczka and Mateusz Darda with the invention.
