Broadcom has released security updates to patch five security flaws impacting VMware Aria Operations and Aria Operations for Logs, warning customers that attackers could exploit them to gain elevated access or obtain sensitive information.
The list of identified flaws, which impact versions 8.x of the software, is below –
- CVE-2025-22218 (CVSS score: 8.5) – A malicious actor with View Only Admin permissions may be able to read the credentials of a VMware product integrated with VMware Aria Operations for Logs
- CVE-2025-22219 (CVSS score: 6.8) – A malicious actor with non-administrative privileges may be able to inject a malicious script that may lead to arbitrary operations as admin user via a stored cross-site scripting (XSS) attack
- CVE-2025-22220 (CVSS score: 4.3) – A malicious actor with non-administrative privileges and network access to Aria Operations for Logs API may be able to perform certain operations in the context of an admin user
- CVE-2025-22221 (CVSS score: 5.2) – A malicious actor with admin privileges to VMware Aria Operations for Logs may be able to inject a malicious script that could be executed in a victim’s browser when performing a delete action in the Agent Configuration
- CVE-2025-22222 (CVSS score: 7.7) – A malicious user with non-administrative privileges may exploit this vulnerability to retrieve credentials for an outbound plugin if a valid service credential ID is known
Security researchers Maxime Escourbiac from Michelin CERT, and Yassine Bengana and Quentin Ebel from Abicom and part of the Michelin CERT team for detecting and reporting the flaws. It’s worth noting that the same team spotted two other shortcomings in the same product (CVE-2024-38832 and CVE-2024-38833) in late November 2024.
All the aforementioned vulnerabilities have been patched in VMware Aria Operations and Aria Operations for Logs version 8.18.3. The virtualization services provider makes no mention of these issues being exploited in the wild.
The advisory comes days after Broadcom warned of a high-severity security flaw in VMware Avi Load Balancer (CVE-2025-22217, CVSS score: 8.6) that could be weaponized by malicious actors to gain database access.
