VMware has released a critical security advisory, VMSA-2025-0003, addressing multiple vulnerabilities in VMware Aria Operations for Logs, VMware Aria Operations, and VMware Cloud Foundation.
These vulnerabilities—tracked as CVE-2025-22218, CVE-2025-22219, CVE-2025-22220, CVE-2025-22221, and CVE-2025-22222—can be exploited to perform admin-level actions, putting affected systems at serious risk.
Rated with CVSSv3 scores ranging from 5.2 to 8.5, VMware has provided patches to mitigate these vulnerabilities, urging customers to act promptly.
CVE-2025-22218 is a high-severity information disclosure vulnerability in VMware Aria Operations for Logs. It allows an attacker with “View Only Admin” permissions to access sensitive credentials of integrated VMware products.
The CVSSv3 base score for this vulnerability is 8.5, making it one of the most severe issues in this advisory.
This flaw could give attackers unauthorized access to systems, enabling further exploitation or data breaches. VMware has released a patched version, 8.18.3, to address the issue, and no workarounds are currently available.
CVE-2025-22219 pertains to a stored cross-site scripting (XSS) vulnerability in VMware Aria Operations for Logs.
Attackers with non-administrative privileges can inject malicious scripts into the system, executing arbitrary admin-level operations when the script is triggered.
The vulnerability has a CVSSv3 score of 6.8, placing it in the important severity range.
This issue highlights the dangers of improper input validation, as attackers can persistently compromise workflows. The issue has been resolved in the patched version 8.18.3.
CVE-2025-22220 is a moderate-severity privilege escalation vulnerability with a CVSSv3 score of 4.3.
A malicious actor can exploit this vulnerability if they have non-administrative privileges and network access to the Aria Operations for Logs API.
Successful exploitation could allow the attacker to perform admin-level operations. Although rated as moderate, this issue still poses a significant threat in environments with unpatched systems.
VMware recommends applying the fixed version, 8.18.3, to eliminate the vulnerability.
Another cross-site scripting (XSS) vulnerability, CVE-2025-22221, allows admin-level users to inject malicious scripts into VMware Aria Operations for Logs.
These scripts can be executed in the victim’s browser, especially during certain actions like deletions performed in the Agent Configuration.
The vulnerability has a CVSSv3 score of 5.2, categorizing it as moderate in severity. While the exploitation requires admin privileges, the risks of compromised browser sessions and unauthorized actions are significant.
VMware has provided a fix in version 8.18.3, and customers are advised to update their systems immediately.
CVE-2025-22222 is an important information disclosure vulnerability affecting VMware Aria Operations.
It allows a malicious user with non-administrative privileges to retrieve credentials for an outbound plugin if a valid service credential ID is known.
With a CVSSv3 score of 7.7, this vulnerability poses a serious risk of exposing sensitive credentials to attackers, enabling them to access restricted resources. VMware has fixed the issue in its patched version 8.18.3, and no workarounds are available.
Affected Products
The vulnerabilities impact the following VMware products:
To address these vulnerabilities, VMware urges customers to apply the patches provided in version 8.18.3 of VMware Aria Operations for Logs and VMware Aria Operations immediately.
VMware credited security researchers Maxime Escourbiac, Yassine Bengana, and Quentin Ebel from Michelin CERT and Abicom for responsibly reporting these vulnerabilities, allowing VMware to promptly address them, as per a report by Broadcom.
The vulnerabilities disclosed in VMSA-2025-0003 pose significant security risks to VMware Aria Operations and related products. Exploitation of these flaws could lead to unauthorized access, privilege escalation, credential theft, and cross-site scripting attacks.
Organizations using VMware Aria Operations products are strongly advised to apply the recommended patches without delay to protect their systems from potential exploitation.
By addressing these issues proactively, enterprises can ensure the integrity and security of their VMware environments.
Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request
Microsoft has removed two widely-used Visual Studio Code (VS Code) extensions, “Material Theme Free” and…
A new ransomware group, dubbed Anubis, has emerged as a significant threat in the cybersecurity…
A new wave of cyberattacks targeting WordPress websites has been uncovered, with attackers leveraging fake…
A newly identified cybercriminal group, LARVA-208, also known as EncryptHub, has successfully infiltrated 618 organizations…
A new wave of sophisticated cyberattacks targeting macOS systems has been identified, involving two malware…
The modern cybersecurity landscape is witnessing an unprecedented surge in sophisticated attack techniques, with adversaries…