VMware Avi Load Balancer SQL Injection Flaws Expose Database Access


Two VMware Avi Load Balancer vulnerabilities can give attackers unauthorized access to the controller database through blind SQL injection. The more serious flaw, CVE-2025-22217, requires only network access and no authentication.

CVE-2025-41233 uses a similar attack method but requires an authenticated user with high privileges. Broadcom has released controller patches for both vulnerabilities and lists no workarounds.

The flaws do not provide a conventional authentication bypass that logs an attacker into the Avi management interface. CVE-2025-22217 instead lets an unauthenticated network attacker send crafted SQL queries and potentially obtain database information without first supplying valid credentials.

CVE-2025-22217 Allows Unauthenticated SQL Injection

CVE-2025-22217 is an unauthenticated blind SQL injection vulnerability in VMware Avi Load Balancer, formerly known as VMware NSX Advanced Load Balancer.

According to Broadcom advisory VMSA-2025-0002, an attacker with network access can send specially crafted SQL queries to gain database access. The vulnerability has a CVSS v3.1 score of 8.6 and requires no user interaction.

The CVSS vector indicates high confidentiality impact but no direct integrity or availability impact in the vendor assessment. Broadcom does not describe the flaw as remote code execution or claim that it automatically gives attackers operating-system access.

CVEVulnerabilityAuthentication requiredCVSS scorePrimary impact
CVE-2025-22217Blind SQL injectionNo8.6Unauthorized database access and information exposure
CVE-2025-41233Blind SQL injectionYes, high privileges6.8Database access through crafted queries
CVE-2024-22264Privilege escalationAdministrator privileges7.2Root-level file creation, modification, execution, and deletion
CVE-2024-22266Information disclosureAccess to system logs6.5Exposure of plaintext cloud connection credentials

What Blind SQL Injection Means

SQL injection occurs when an application fails to safely separate user-controlled input from database commands. An attacker can alter the intended query by supplying specially constructed input.

In a blind SQL injection attack, the application does not directly display the database response. The attacker instead infers information from differences in timing, errors, response behavior, or other observable results.

This process can take longer than direct SQL injection, but automation allows an attacker to gradually extract database values. Network restrictions around the controller can reduce exposure, although patching remains necessary because Broadcom provides no workaround.

Affected CVE-2025-22217 Versions and Patches

CVE-2025-22217 affects four Avi Load Balancer releases in the 30.x branch. Versions 21.x and 22.x are not vulnerable to this specific issue.

Systems running 30.1.1 require an intermediate upgrade. Administrators must first move to 30.1.2 or later before installing the applicable patch.

The following table reflects Broadcomโ€™s official response matrix.

Installed versionRequired fixed buildAdditional requirement
30.1.130.1.2-2p2Upgrade to 30.1.2 or later before applying the patch
30.1.230.1.2-2p2Apply the controller patch
30.2.130.2.1-2p5Apply the controller patch
30.2.230.2.2-2p2Apply the controller patch
21.x and 22.xNot applicableBroadcom lists these branches as unaffected

CVE-2025-41233 Requires an Authenticated User

CVE-2025-41233 is a separate blind SQL injection vulnerability disclosed in May 2025. It requires an authenticated user with network access.

The VMSA-2025-0011 security advisory assigns the flaw a CVSS score of 6.8. Its attack vector requires high privileges and no user interaction.

An attacker who already controls a privileged Avi account could submit crafted SQL queries and gain database access beyond the intended application workflow. This makes compromised administrative accounts and excessive role assignments especially important during risk assessment.

Corrected CVE-2025-41233 Patch Matrix

The affected-version range for CVE-2025-41233 is narrower than a general reference to all 30.x and 22.x releases. Broadcom identifies specific 30.x builds and version 31.1.1.

Version 30.2.3 is marked unaffected because it already contains the correction. Versions 21.x and 22.x are also listed as unaffected.

Administrators should use the following fixed builds or a later supported release that includes the security correction.

Installed versionFixed buildStatus
30.1.130.1.2-2p3Affected
30.1.230.1.2-2p3Affected
30.2.130.2.1-2p6Affected
30.2.230.2.2-2p5Affected
30.2.3Not applicableUnaffected
31.1.131.1.1-2p2Affected
21.x and 22.xNot applicableUnaffected

Why the Later Patch Level Matters

Organizations running a build previously patched for CVE-2025-22217 may still need another update for CVE-2025-41233. For example, 30.2.1-2p5 fixes the unauthenticated flaw, while 30.2.1-2p6 fixes the later authenticated vulnerability.

The same pattern applies to other branches. Administrators should not assume that installing the January 2025 patch protects a system from vulnerabilities disclosed several months later.

A practical approach is to deploy the latest supported maintenance build approved for the organizationโ€™s Avi environment, after confirming compatibility and upgrade-path requirements in Broadcomโ€™s release notes.

BranchCVE-2025-22217 fixCVE-2025-41233 fix
30.1.230.1.2-2p230.1.2-2p3
30.2.130.2.1-2p530.2.1-2p6
30.2.230.2.2-2p230.2.2-2p5

Older Avi Vulnerabilities Belong to a Separate Advisory

CVE-2024-22264 and CVE-2024-22266 were disclosed in May 2024 through a separate security advisory. They are not additional SQL injection vulnerabilities.

Broadcom advisory VMSA-2024-0009 describes a privilege-escalation flaw and an information-disclosure issue. Both require existing access.

These vulnerabilities can increase the damage from a broader compromise, but Broadcom does not document them as a single verified exploit chain with the later SQL injection flaws.

CVE-2024-22264 Gives Administrators Root-Level File Control

CVE-2024-22264 has a CVSS score of 7.2. A malicious actor who already has Avi administrator privileges can create, modify, execute, and delete files as the root user on the host system.

The requirement for administrator privileges limits the initial attack surface. However, the impact is serious if an attacker has compromised an admin account or obtained elevated application access through another method.

Broadcom fixed the flaw in Avi Load Balancer 30.2.1 for the 30.x branch and 22.1.6 for the 22.1.x branch.

CVE-2024-22266 Exposes Cloud Credentials in Logs

CVE-2024-22266 has a CVSS score of 6.5. An attacker with access to Avi system logs may view cloud connection credentials stored in plaintext.

The flaw affects the 30.x branch and was fixed in version 30.2.1. Broadcomโ€™s response matrix does not list 22.1.x as affected by this information-disclosure issue.

Organizations that ran vulnerable releases should review historical log access and rotate cloud credentials that may have appeared in plaintext. Installing the update stops the vulnerable behavior but does not invalidate secrets already exposed.

Minimum Fixed Versions for the 2024 Vulnerabilities

CVEAffected branchFixed version
CVE-2024-2226430.x.x30.2.1
CVE-2024-2226422.1.x22.1.6
CVE-2024-2226630.x.x30.2.1

Why Avi Controller Exposure Matters

Avi Load Balancer controllers manage application-delivery configuration, service engines, cloud connections, and operational data. Their management interfaces should not be exposed to untrusted networks.

CVE-2025-22217 requires network access but no application credentials. Restricting access to the controller limits who can reach the vulnerable interface and reduces opportunities for exploitation while administrators complete patching.

Network segmentation is not a substitute for the update. An attacker who compromises an internal workstation, VPN account, management host, or adjacent service may still reach an internally exposed controller.

How to Reduce the Attack Surface

  • Place Avi controller interfaces on dedicated management networks.
  • Permit administrative access only from approved jump hosts and administrator subnets.
  • Block direct internet access to controller management services.
  • Require multi-factor authentication for administrative accounts.
  • Apply least privilege to Avi user roles.
  • Remove inactive administrators and unused automation accounts.
  • Restrict access to system logs containing sensitive operational data.
  • Monitor database errors, unusual controller requests, and unexpected API activity.
  • Rotate cloud credentials that may have appeared in vulnerable logs.
  • Maintain configuration backups and a tested controller recovery process.

How Administrators Should Patch Avi Load Balancer

Administrators should inventory every Avi controller and record the exact version, patch suffix, deployment model, and supported upgrade path. Major version alone is not enough because the fixes use specific patch builds.

The official CVE-2025-22217 response matrix and CVE-2025-41233 response matrix should guide the minimum build selection.

Organizations should preferably deploy a current supported build that includes both corrections and any later security updates.

  1. Identify every Avi controller and its complete build number.
  2. Compare each build with all applicable Broadcom response matrices.
  3. Upgrade 30.1.1 to 30.1.2 or later before applying the required patch.
  4. Back up the controller configuration before maintenance.
  5. Test the update in a representative non-production environment.
  6. Apply the security build to the Avi Controller as directed by Broadcom.
  7. Verify controller health, cluster status, service engines, and virtual services.
  8. Confirm that management interfaces remain restricted after the upgrade.
  9. Review logs and privileged-account activity for possible earlier abuse.
  10. Document the final patch suffix rather than only the major release number.

No Vendor Workarounds Are Available

Broadcom lists no workaround for either SQL injection vulnerability. Network access controls can reduce exposure, but only the fixed controller builds remediate the vulnerable code.

The same applies to the two 2024 vulnerabilities. Broadcomโ€™s 2024 Avi security bulletin lists updates rather than configuration-based workarounds.

Organizations unable to patch immediately should isolate management access, increase logging, monitor administrator activity, protect system logs, and prepare an accelerated maintenance window.

What to Monitor for Possible SQL Injection Activity

Broadcomโ€™s advisories do not publish detailed exploit indicators or request patterns. Defenders should therefore rely on behavior, controller telemetry, network visibility, and database-related errors.

Blind SQL injection can generate repeated requests containing small input variations. The attacker may adjust conditions character by character while using timing or response differences to infer database information.

  • Repeated requests to controller endpoints from one source
  • Unexpected SQL errors in application or controller logs
  • Requests containing SQL operators, comments, or timing functions
  • Unusual response delays tied to similar requests
  • Management traffic from new internal or external addresses
  • Privileged users querying resources outside normal duties
  • Unexpected database load or repeated query failures
  • New administrative sessions before suspicious database activity

These Are Not July 2026 Vulnerabilities

The SQL injection and 2024 privilege issues remain relevant to organizations running unpatched Avi versions, but their original publication dates range from May 2024 to May 2025.

Broadcom published a different Avi Load Balancer advisory on July 14, 2026 covering seven CVE-2026 vulnerabilities. Administrators can track that separate release through the VMware Security Blog and Broadcomโ€™s security-advisory portal.

Security teams should review both the older SQL injection patches and the newest advisories. Installing only the minimum builds listed in a 2024 or early 2025 bulletin may leave a controller exposed to vulnerabilities disclosed later.

Final Patch Priorities

CVE-2025-22217 should receive priority because it requires no authentication and has no workaround. Any vulnerable controller reachable from an untrusted or broadly accessible network carries greater risk.

CVE-2025-41233 should also be patched because compromised privileged accounts can use it to reach the database. Organizations should then confirm that the 2024 root-file and plaintext-credential fixes are present.

The current VMware security advisory feed should be checked before each maintenance cycle so administrators select a supported build containing all subsequent Avi security corrections.

FAQ

Does CVE-2025-22217 bypass Avi Load Balancer authentication?

Broadcom describes it as an unauthenticated blind SQL injection vulnerability rather than a conventional login bypass. An attacker with network access can submit crafted SQL queries and potentially gain database access without first authenticating.

Which Avi Load Balancer versions are affected by CVE-2025-22217?

Broadcom lists versions 30.1.1, 30.1.2, 30.2.1, and 30.2.2 as affected. Versions 21.x and 22.x are unaffected. Version 30.1.1 must be upgraded to 30.1.2 or later before applying the patch.

Which versions are affected by CVE-2025-41233?

Affected releases are 30.1.1, 30.1.2, 30.2.1, 30.2.2, and 31.1.1. Broadcom marks 30.2.3, 21.x, and 22.x as unaffected.

Are workarounds available for the Avi SQL injection flaws?

No. Broadcom lists no workarounds for CVE-2025-22217 or CVE-2025-41233. Restricting controller access reduces exposure but does not replace the security patches.

What does CVE-2024-22266 expose?

CVE-2024-22266 can expose cloud connection credentials stored in plaintext in Avi system logs to an attacker who can access those logs. Organizations should patch and rotate credentials that may have been exposed.

Were these vulnerabilities disclosed in July 2026?

No. Broadcom disclosed the four vulnerabilities across separate advisories in May 2024, January 2025, and May 2025. Its July 14, 2026 Avi Load Balancer advisory covers a different set of seven vulnerabilities.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages