Broadcom disclosed a critical vulnerability affecting its Avi Load Balancer product.

The vulnerability, identified as CVE-2025-22217, is an unauthenticated blind SQL injection vulnerability that could allow attackers with network access to execute specially crafted SQL queries to gain unauthorized access to the underlying database.

The issue was privately reported to VMware and has been classified with a CVSSv3 base score of 8.6, placing it in the “Important” severity range.

The vulnerability arises from improper input sanitization in the Avi Load Balancer, enabling attackers to exploit the system without authentication.

Exploiting this flaw could lead to significant security breaches, including unauthorized database access and potential data compromise.

Affected & Fixed Versions

Broadcom has released patches for all affected versions to address this vulnerability. Users are strongly advised to apply the updates listed in the Response Matrix below:

No workarounds are available for this issue, making it imperative for administrators to deploy the patches immediately.VMware has credited security researchers Daniel Kukuczka and Mateusz Darda for identifying and reporting this vulnerability.

Organizations using VMware Avi Load Balancer should take the following steps:

1. Identify affected systems running vulnerable versions of the software.
2. Apply the recommended patches as soon as possible.
3. Monitor network activity for any suspicious behavior that could indicate exploitation attempts.

Failure to address this vulnerability promptly could expose critical databases to malicious actors, leading to data breaches and other security incidents.