Broadcom has launched safety updates to patch 5 safety flaws impacting VMware Aria Operations and Aria Operations for Logs, warning prospects that attackers may exploit them to realize elevated entry or acquire delicate data.
The listing of recognized flaws, which affect variations 8.x of the software program, is beneath –
- CVE-2025-22218 (CVSS rating: 8.5) – A malicious actor with View Solely Admin permissions could possibly learn the credentials of a VMware product built-in with VMware Aria Operations for Logs
- CVE-2025-22219 (CVSS rating: 6.8) – A malicious actor with non-administrative privileges could possibly inject a malicious script which will result in arbitrary operations as admin consumer through a saved cross-site scripting (XSS) assault
- CVE-2025-22220 (CVSS rating: 4.3) – A malicious actor with non-administrative privileges and community entry to Aria Operations for Logs API could possibly carry out sure operations within the context of an admin consumer
- CVE-2025-22221 (CVSS rating: 5.2) – A malicious actor with admin privileges to VMware Aria Operations for Logs could possibly inject a malicious script that may very well be executed in a sufferer’s browser when performing a delete motion within the Agent Configuration
- CVE-2025-22222 (CVSS rating: 7.7) – A malicious consumer with non-administrative privileges could exploit this vulnerability to retrieve credentials for an outbound plugin if a sound service credential ID is thought
Safety researchers Maxime Escourbiac from Michelin CERT, and Yassine Bengana and Quentin Ebel from Abicom and a part of the Michelin CERT crew for detecting and reporting the issues. It is value noting that the identical crew noticed two different shortcomings in the identical product (CVE-2024-38832 and CVE-2024-38833) in late November 2024.
All of the aforementioned vulnerabilities have been patched in VMware Aria Operations and Aria Operations for Logs model 8.18.3. The virtualization companies supplier makes no point out of those points being exploited within the wild.
The advisory comes days after Broadcom warned of a high-severity safety flaw in VMware Avi Load Balancer (CVE-2025-22217, CVSS rating: 8.6) that may very well be weaponized by malicious actors to realize database entry.
