Virtualization technology giant VMware on Tuesday issued an urgent alert for a blind SQL injection flaw in its Avi Load Balancer, warning that attackers would exploit the issue to gain broader database access.
The vulnerability, tracked as CVE-2025-22217, carries a CVSS severity score of 8.6/10.
The company described the security defect as an unauthenticated blind SQL Injection vulnerability and urged enterprise admins to apply available patches urgently as there are no pre-patch workarounds.
A high-risk bulletin from VMware warned that “a malicious user with network access may be able to use specially crafted SQL queries to gain database access.”
The VMware Avi Load is widely adopted to help organizations distribute and manage incoming traffic across multiple servers, ensuring reliable performance for cloud and on-premises applications. In addition to load balancing, it provides web application security and container ingress for cloud and datacenter applications.
The product is designed to work with traditional VM-based applications and container microservices.
VMware advises customers running Avi Load Balancer versions 30.1.1, 30.1.2, 30.2.1, and 30.2.2 to quickly deploy available patches. Administrators are recommended to upgrade to at least version 30.1.2 or later before applying the patch in cases where older releases are in place.
There are currently no known workarounds, making patching the only effective remedy.
The vulnerability was privately reported to VMware. The company credits researchers Daniel Kukuczka and Mateusz Darda with the discovery.
Related: VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw
Related: VMware Struggles to Fix Flaw Exploited at Chinese Hacking Contest
Related: VMware Patches High-Severity SQL Injection Flaw in HCX Platform
Related: VMware Patches RCE Flaw Found in Chinese Hacking Contest
