Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: High and medium severity vulnerabilities in VMware Aria Operations and VMware Cloud Foundation. Risk of remote code execution and sensitive information disclosure, Patch Immediately!
Image
Published : 31/01/2025
Reference:
Advisory #2025-23
Version:
1.1
Affected software:
VMware Aria Operations 8.x and VMware Cloud Foundation 5.x and 4.x
Type:
Information disclosure, Cross-site scripting, and Privilege escalation vulnerabilities
CVE/CVSS:
CVE-2025-22218: 8.5 HIGH (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)CVE-2025-22219: 6.8 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)CVE-2025-22220: 4.3 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)CVE-2025-22221: 5.2 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N)CVE-2025-22222: 7.7 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:H/C:H/I:N/A:N)
Sources
https://nvd.nist.gov/vuln/detail/CVE-2025-22218
https://nvd.nist.gov/vuln/detail/CVE-2025-22219
https://nvd.nist.gov/vuln/detail/CVE-2025-22220
https://nvd.nist.gov/vuln/detail/CVE-2025-22221
https://nvd.nist.gov/vuln/detail/CVE-2025-22222
Risks
Multiple vulnerabilities exist in VMware Aria Operations 8.x and VMware Cloud Foundation 5.x and 4.x software.
The first is CVSS 8.5 high severity vulnerability CVE-2025-22218 which — if left unpatched — renders affected devices vulnerable to sensitive information disclosure with possible high impact on confidentiality, integrity and availability of systems and data.
Three other medium severity vulnerabilities exist in the same software:
- CVE-2025-22219 (CVSS 6.8) and CVE-2025-22221 (CVSS 5.2). If left unpatched, affected devices are vulnerable to cross-site scripting, with possible impact on confidentiality, integrity and availability of systems and data.
- CVE-2025-22220 (CVSS 4.3). If left unpatched, affected devices are vulnerable to privilege escalation, with possible impact on integrity of systems and data.
- CVE-2025-22222 (CVSS 7.7). If left unpatched, sensitive information can be disclosed to the attacker.
There are no indications as to the existence of a proof-of-concept (PoC) exploit or active exploitation in the wild.
Description
CVE-2025-22218 is an undetermined vulnerability. If exploited successfully, an attacker with 'View Only Admin' permissions may be able to read the credentials of a VMware product integrated with VMware Aria Operations for Logs.
CVE-2025-22219 and CVE-2025-22221 are 'Improper Neutralization of Input During Web Page Generation' type of vulnerabilities, also known as 'Cross-site Scripting'.
- If CVE-2025-22219 is exploited successfully, a malicious actor with non-administrative privileges may be able to inject a malicious script which may lead to arbitrary code execution as admin user.
- If CVE-2025-22221 is exploited successfully, a malicious actor with admin privileges be able to inject a malicious script that could be executed in a victim's browser when performing a delete action in the Agent Configuration.
CVE-2025-22220 is a Privilege Escalation vulnerability. If exploited successfully, a malicious actor with non-administrative privileges and network access to the Aria Operations for Logs API may be able to perform certain operations in the context of an admin user.
CVE-2025-22222 is an information disclosure vulnerability. If exploited successfully, a non-administrative malicious user can obtain credentials for an outbound plugin if they possess a valid service credential ID.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Broadcom Inc: https://access.broadcom.com/default/ui/v1/signin/ (login required)