Broadcom has launched safety updates to patch 5 safety flaws impacting VMware Aria Operations and Aria Operations for Logs, caution shoppers that attackers may just exploit them to realize increased get entry to or download delicate data.
The checklist of recognized flaws, which have an effect on variations 8.x of the device, is underneath –
- CVE-2025-22218 (CVSS rating: 8.5) – A malicious actor with View Best Admin permissions could possibly learn the credentials of a VMware product built-in with VMware Aria Operations for Logs
- CVE-2025-22219 (CVSS rating: 6.8) – A malicious actor with non-administrative privileges could possibly inject a malicious script that can result in arbitrary operations as admin consumer by means of a saved cross-site scripting (XSS) assault
- CVE-2025-22220 (CVSS rating: 4.3) – A malicious actor with non-administrative privileges and community get entry to to Aria Operations for Logs API could possibly carry out sure operations within the context of an admin consumer
- CVE-2025-22221 (CVSS rating: 5.2) – A malicious actor with admin privileges to VMware Aria Operations for Logs could possibly inject a malicious script which may be carried out in a sufferer’s browser when acting a delete motion within the Agent Configuration
- CVE-2025-22222 (CVSS rating: 7.7) – A malicious consumer with non-administrative privileges would possibly exploit this vulnerability to retrieve credentials for an outbound plugin if a legitimate carrier credential ID is understood
Safety researchers Maxime Escourbiac from Michelin CERT, and Yassine Bengana and Quentin Ebel from Abicom and a part of the Michelin CERT workforce for detecting and reporting the issues. It is price noting that the similar workforce noticed two different shortcomings in the similar product (CVE-2024-38832 and CVE-2024-38833) in past due November 2024.
All of the aforementioned vulnerabilities had been patched in VMware Aria Operations and Aria Operations for Logs model 8.18.3. The virtualization products and services supplier makes no point out of those problems being exploited within the wild.
The advisory comes days after Broadcom warned of a high-severity safety flaw in VMware Avi Load Balancer (CVE-2025-22217, CVSS rating: 8.6) which may be weaponized via malicious actors to realize database get entry to.