VMware Avi Load Balancer Vulnerabilities Let Attackers Bypass Authentication

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Broadcom-owned VMware has disclosed multiple security flaws in its Avi Load Balancer platform (formerly NSX Advanced Load Balancer) that let attackers bypass authentication controls and gain unauthorized database access through crafted SQL queries.

The most severe of these, CVE-2025-22217, carries a CVSSv3 score of 8.6 and requires no authentication or user interaction to exploit.

The primary issue is an unauthenticated blind SQL injection vulnerability rooted in improper input sanitization within the Avi Load Balancer’s controller components.

A malicious actor with only network access can send specially crafted SQL queries to the affected system, effectively sidestepping login requirements and extracting sensitive information stored in the underlying database.

A related but lower-severity flaw, CVE-2025-41233, allows an already-authenticated user with network access to similarly abuse SQL queries, though it carries a CVSS score of 6.8 and requires higher privileges to trigger.

Two additional issues disclosed earlier compound the risk profile: CVE-2024-22264, a privilege escalation bug (CVSS 7.2) letting an admin-level attacker create, modify, and delete files as root on the host system, and CVE-2024-22266, an information disclosure flaw (CVSS 6.5) that exposes cloud connection credentials in plaintext within system logs.

Together, these vulnerabilities create a chain where authentication bypass, data exposure, and privilege escalation can compound one another in poorly segmented environments.

Affected Versions

CVE ID Vulnerability Type CVSS Score Affected Versions Fixed Version
CVE-2025-22217 Unauthenticated blind SQL injection 8.6 30.1.1, 30.1.2, 30.2.1, 30.2.2 30.1.2-2p2, 30.2.1-2p5, 30.2.2-2p2
CVE-2025-41233 Authenticated blind SQL injection 6.8 30.x, 22.x branches Refer to VMSA-2025-0011
CVE-2024-22264 Privilege escalation (root file access) 7.2 30.x.x, 22.1.x 30.2.1, 22.1.6
CVE-2024-22266 Plaintext credential disclosure in logs 6.5 30.x.x 30.2.1

Notably, the 21.x and 22.x version branches were confirmed unaffected by CVE-2025-22217, though administrators running 30.1.1 must first upgrade to 30.1.2 before applying the security patch.

Load balancers like Avi sit at the network edge, routing traffic for critical applications, which makes an authentication bypass here especially dangerous since a single exploited instance can expose backend databases and credentials across an entire application delivery infrastructure.

Security researchers Daniel Kukuczka and Mateusz Darda were credited with privately reporting the flagship SQL injection issue, and Broadcom confirmed no public proof-of-concept or active exploitation had been observed at disclosure time.

Mitigation Guidance

  • Apply Broadcom’s patched builds immediately, since no workarounds exist for CVE-2025-22217.
  • Upgrade version 30.1.1 to 30.1.2 first before layering on the 2p2 patch.
  • Restrict network-level access to Avi controller management interfaces to trusted administrative segments only.
  • Audit system logs for exposed cloud credentials tied to CVE-2024-22266 and rotate any potentially leaked secrets.
  • Review admin account privileges to limit exposure from the CVE-2024-22264 privilege escalation path.

Organizations running any Avi Load Balancer version between 30.1.1 and 30.2.2 should treat patching as urgent, given the combination of network-exploitable, authentication-bypassing flaws and the sensitive role these load balancers play in enterprise cloud infrastructure.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.