VMware fixed a high-risk blind SQL injection vulnerability in Avi Load Balancer, allowing attackers to exploit databases via crafted queries.
VMware warns of a high-risk blind SQL injection vulnerability, tracked as CVE-2025-22217 (CVSS score of 8.6), in Avi Load Balancer, allowing attackers with network access to exploit databases via crafted queries.
“VMware AVI Load Balancer contains an unauthenticated blind SQL Injection vulnerability.” reads the advisory. “A malicious user with network access may be able to use specially crafted SQL queries to gain database access.”
VMware Avi Load Balancer, formerly known as Avi Vantage, is a next-generation application delivery controller (ADC) that provides advanced load balancing, application analytics, and security for modern multi-cloud environments. Unlike traditional hardware-based load balancers, it is software-defined and operates across public, private, and hybrid cloud infrastructures.
The vulnerability is an unauthenticated blind SQL Injection issue that was privately reported to the virtualization giant by Daniel Kukuczka and Mateusz Darda.
The company pointed out that there are no workarounds for this vulnerability and urged customers to address it, as soon as possible.
The vulnerability affects Avi Load Balancer versions 30.1.1, 30.1.2, 30.2.1, and 30.2.2, with security patches now available.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Avi Load Balancer)