VMware has released a critical security advisory, VMSA-2025-0003, addressing multiple vulnerabilities in VMware Aria Operations for Logs, VMware Aria Operations, and VMware Cloud Foundation.
These vulnerabilities—tracked as CVE-2025-22218, CVE-2025-22219, CVE-2025-22220, CVE-2025-22221, and CVE-2025-22222—can be exploited to perform admin-level actions, putting affected systems at serious risk.
Rated with CVSSv3 scores ranging from 5.2 to 8.5, VMware has provided patches to mitigate these vulnerabilities, urging customers to act promptly.
CVE-2025-22218: Information Disclosure in VMware Aria Operations for Logs
CVE-2025-22218 is a high-severity information disclosure vulnerability in VMware Aria Operations for Logs. It allows an attacker with “View Only Admin” permissions to access sensitive credentials of integrated VMware products.
The CVSSv3 base score for this vulnerability is 8.5, making it one of the most severe issues in this advisory.
This flaw could give attackers unauthorized access to systems, enabling further exploitation or data breaches. VMware has released a patched version, 8.18.3, to address the issue, and no workarounds are currently available.
CVE-2025-22219: Stored Cross-Site Scripting in VMware Aria Operations for Logs
CVE-2025-22219 pertains to a stored cross-site scripting (XSS) vulnerability in VMware Aria Operations for Logs.
Attackers with non-administrative privileges can inject malicious scripts into the system, executing arbitrary admin-level operations when the script is triggered.
The vulnerability has a CVSSv3 score of 6.8, placing it in the important severity range.
This issue highlights the dangers of improper input validation, as attackers can persistently compromise workflows. The issue has been resolved in the patched version 8.18.3.
CVE-2025-22220: Privilege Escalation in VMware Aria Operations for Logs
CVE-2025-22220 is a moderate-severity privilege escalation vulnerability with a CVSSv3 score of 4.3.
A malicious actor can exploit this vulnerability if they have non-administrative privileges and network access to the Aria Operations for Logs API.
Successful exploitation could allow the attacker to perform admin-level operations. Although rated as moderate, this issue still poses a significant threat in environments with unpatched systems.
VMware recommends applying the fixed version, 8.18.3, to eliminate the vulnerability.
CVE-2025-22221: Stored Cross-Site Scripting in VMware Aria Operations for Logs
Another cross-site scripting (XSS) vulnerability, CVE-2025-22221, allows admin-level users to inject malicious scripts into VMware Aria Operations for Logs.
These scripts can be executed in the victim’s browser, especially during certain actions like deletions performed in the Agent Configuration.
The vulnerability has a CVSSv3 score of 5.2, categorizing it as moderate in severity. While the exploitation requires admin privileges, the risks of compromised browser sessions and unauthorized actions are significant.
VMware has provided a fix in version 8.18.3, and customers are advised to update their systems immediately.
CVE-2025-22222: Information Disclosure in VMware Aria Operations
CVE-2025-22222 is an important information disclosure vulnerability affecting VMware Aria Operations.
It allows a malicious user with non-administrative privileges to retrieve credentials for an outbound plugin if a valid service credential ID is known.
With a CVSSv3 score of 7.7, this vulnerability poses a serious risk of exposing sensitive credentials to attackers, enabling them to access restricted resources. VMware has fixed the issue in its patched version 8.18.3, and no workarounds are available.
Affected Products
The vulnerabilities impact the following VMware products:
- VMware Aria Operations for Logs (version 8.x)
- VMware Aria Operations (version 8.x)
- VMware Cloud Foundation (versions 4.x and 5.x)
To address these vulnerabilities, VMware urges customers to apply the patches provided in version 8.18.3 of VMware Aria Operations for Logs and VMware Aria Operations immediately.
VMware credited security researchers Maxime Escourbiac, Yassine Bengana, and Quentin Ebel from Michelin CERT and Abicom for responsibly reporting these vulnerabilities, allowing VMware to promptly address them, as per a report by Broadcom.
The vulnerabilities disclosed in VMSA-2025-0003 pose significant security risks to VMware Aria Operations and related products. Exploitation of these flaws could lead to unauthorized access, privilege escalation, credential theft, and cross-site scripting attacks.
Organizations using VMware Aria Operations products are strongly advised to apply the recommended patches without delay to protect their systems from potential exploitation.
By addressing these issues proactively, enterprises can ensure the integrity and security of their VMware environments.
Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request
