Source: www.securityweek.com – Author: Ryan Naraine
Virtualization technology giant VMware on Tuesday issued an urgent alert for a blind SQL injection flaw in its Avi Load Balancer, warning that attackers would exploit the issue to gain broader database access.
The vulnerability, tracked as CVE-2025-22217, carries a CVSS severity score of 8.6/10.
The company described the security defect as an unauthenticated blind SQL Injection vulnerability and urged enterprise admins to apply available patches urgently as there are no pre-patch workarounds.
A high-risk bulletin from VMware warned that “a malicious user with network access may be able to use specially crafted SQL queries to gain database access.”
The VMware Avi Load is widely adopted to help organizations distribute and manage incoming traffic across multiple servers, ensuring reliable performance for cloud and on-premises applications. In addition to load balancing, it provides web application security and container ingress for cloud and datacenter applications.
The product is designed to work with traditional VM-based applications and container microservices.
VMware advises customers running Avi Load Balancer versions 30.1.1, 30.1.2, 30.2.1, and 30.2.2 to quickly deploy available patches. Administrators are recommended to upgrade to at least version 30.1.2 or later before applying the patch in cases where older releases are in place.
There are currently no known workarounds, making patching the only effective remedy.
Advertisement. Scroll to continue reading.
The vulnerability was privately reported to VMware. The company credits researchers Daniel Kukuczka and Mateusz Darda with the discovery.
Related: VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw
Related: VMware Struggles to Fix Flaw Exploited at Chinese Hacking Contest
Related: VMware Patches High-Severity SQL Injection Flaw in HCX Platform
Related: VMware Patches RCE Flaw Found in Chinese Hacking Contest
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
Daily Briefing Newsletter
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.
Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.
Original Post URL: https://www.securityweek.com/vmware-warns-of-high-risk-blind-sql-injection-bug-in-avi-load-balancer/
Category & Tags: Malware & Threats,Vulnerabilities,Avi Load Balancer,SQL injection,VMware – Malware & Threats,Vulnerabilities,Avi Load Balancer,SQL injection,VMware
Views: 3
