VMware Reveals Severe Avi Load Balancer Blind SQL Injection Vulnerability

• VMware users are urged to patch a critical SQL injection flaw in Avi Load Balancer.
• This bug could allow an unauthenticated threat actor to gain access to compromised enterprises’ databases.
• VMware has not disclosed specific instances of exploitation but mentioned there are no workarounds available.

VMware has issued an urgent security advisory addressing a critical SQL injection vulnerability in its Avi Load Balancer. The high-risk flaw, identified as CVE-2025-22217, has a CVSS severity rating of 8.6/10.

The security defect is described as an “unauthenticated blind SQL Injection vulnerability,” potentially allowing malicious actors with network access to exploit the issue to gain unauthorized database access. 

The leading virtualization technology provider has stressed this flaw's critical nature, urging system administrators to apply the patches provided immediately, as no viable workarounds exist.

The Avi Load Balancer is widely integrated into enterprise environments to optimize traffic distribution across servers, ensuring efficient and reliable performance for both on-premises and cloud-based applications. 

The product is an important component of many organizations’ infrastructures because it offers web application security and container ingress management for data centers and cloud deployments. 

Its ability to work with both traditional VM-based applications and container microservices further reinforces its strategic importance across IT ecosystems.

The uncovered vulnerability could allow attackers to send crafted SQL queries, potentially leading to significant database compromises. VMware has not disclosed specific instances of exploitation but has characterized the flaw as a pressing concern requiring immediate action.

The vulnerability affects multiple versions of the Avi Load Balancer, including 30.1.1, 30.1.2, 30.2.1, and 30.2.2. VMware advises administrators to urgently patch affected systems to mitigate the risk. 

For enterprises running older versions, it is recommended to first upgrade to at least version 30.1.2 before applying the necessary updates.

Cybersecurity researchers Daniel Kukuczka and Mateusz Darda privately reported the issue to VMware, whose efforts in identifying and responsibly disclosing the vulnerability were acknowledged in VMware's advisory.