Analysis Summary

Broadcom has released crucial security updates to patch five vulnerabilities in VMware Aria Operations and Aria Operations for Logs, warning that attackers could exploit these flaws to gain elevated access or retrieve sensitive credentials. These vulnerabilities impact versions 8.x of the software, and security researchers were credited for discovering them. The vulnerabilities include CVE-2025-22218 (CVSS 8.5), which allows an attacker with View Only Admin permissions to extract credentials of an integrated VMware product, and CVE-2025-22222 (CVSS 7.7), which lets a non-administrative user retrieve credentials for an outbound plugin if they know a valid service credential ID. These flaws pose a significant risk by potentially exposing sensitive information to unauthorized users.

Other identified vulnerabilities include CVE-2025-22219 (CVSS 6.8), which enables non-administrative users to inject malicious scripts leading to stored cross-site scripting (XSS) attacks, allowing arbitrary operations as an admin. CVE-2025-22220 (CVSS 4.3) affects the API, permitting a non-admin attacker with network access to perform certain operations as an admin. CVE-2025-22221 (CVSS 5.2) involves an admin-level stored XSS flaw, where a malicious actor could execute a script in a victim’s browser when performing delete actions in Agent Configuration. These vulnerabilities could enable privilege escalation, unauthorized operations, and potential data breaches.

Broadcom has confirmed that all the mentioned flaws have been patched in VMware Aria Operations and Aria Operations for Logs version 8.18.3. Notably, the same research team had previously discovered two other vulnerabilities in the same product, CVE-2024-38832, and CVE-2024-38833, in late November 2024. However, Broadcom has not indicated any known instances of these vulnerabilities being exploited in the wild. Organizations using affected versions are strongly advised to update their systems immediately to mitigate potential threats.

This security advisory follows another recent Broadcom alert regarding a high-severity vulnerability (CVE-2025-22217, CVSS 8.6) in VMware Avi Load Balancer. This flaw could allow attackers to gain database access, further highlighting ongoing security risks in VMware products. Given the critical nature of these vulnerabilities, organizations should prioritize applying patches and implementing security best practices to prevent potential exploitation by threat actors.

Impact

• Sensitive Credentials Theft
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2025-22218

• CVE-2025-22222

• CVE-2025-22219

• CVE-2025-22220

• CVE-2025-22221

Remediation

• Immediately upgrade to VMware Aria Operations and Aria Operations for Logs version 8.18.3, which patches all identified vulnerabilities.
• Minimize user privileges by ensuring only necessary users have administrative or sensitive access. Limit the use of View Only Admin roles where possible.
• Regularly review logs for any unauthorized or suspicious activity that may indicate potential To prevent cross-site scripting (XSS) attacks (CVE-2025-22219 & CVE-2025-22221), ensure proper sanitization and validation of user inputs.
• Restrict network access to the Aria Operations for Logs API and apply strict authentication measures to prevent unauthorized execution of operations (CVE-2025-22220).
• Regularly rotate and store sensitive credentials securely to mitigate the risk of credential exposure (CVE-2025-22218 & CVE-2025-22222).
• Deploy WAF protections to detect and block malicious script injections that could exploit XSS vulnerabilities.
• Continuously monitor Broadcom and VMware security bulletins for new vulnerabilities and patches.
• Ensure users and services only have the minimum required permissions to reduce potential attack vectors.