Table of Contents
Broadcom urges the application of patches that address pressing vulnerabilities in VMware’s cloud management tools.
VMware has fixed multiple high-severity vulnerabilities affecting its cloud management platform (CMP), VMware Aria, which could allow attackers to steal sensitive credentials from the virtualization giant’s IT management and logging solutions.
Parent company Broadcom, in an advisory issued on Thursday, revealed that two out of five recently disclosed vulnerabilities are “high severity” information disclosure flaws impacting the VMware Aria Operations and VMware Aria operations for Logs components, respectively.
“Multiple vulnerabilities in VMware Aria Operations for logs and VMware Aria Operations were privately reported to VMware,” Broadcom said in the advisory. “Patches are available to remediate these vulnerabilities in the affected VMware products.”
VMware Cloud Foundation (VCF), VMware’s comprehensive offering for deploying and managing hybrid cloud infrastructures, also suffers from these bugs as VMware Aria highly integrates with it to provide cloud management and operational insights for the infrastructures built.
Credential leaking possible
One of the bugs (CVE-2025-22218) affecting VMware Aria Operations for logs, the solution focused on log collection, real-time analysis, troubleshooting, and security event detection, is assigned a highly severe CVSS rating of 8.5/10 for its low-privilege exploitability that can lead to credential disclosure.
“A malicious actor with View Only Admin permissions may be able to read the credentials of a VMware product integrated with VMware Aria Operations for Logs,” Broadcom said.
A similar bug (CVE-2025-22222), in the sense that it requires low privilege for exploitation, is affecting VMware Aria Operations, responsible for infrastructure monitoring, performance optimization, capacity planning, automation, and cost management, and has been assigned a CVSS 7.7/10 rating.
“A malicious user with non-administrative privileges may exploit this vulnerability to retrieve credentials for an outbound plugin if a valid service credential ID is known,” Broadcom added in the advisory.
The flaws reportedly impact VMware Aria operations for Logs version 8.x, VMware Aria Operations version 8.x, and VCF versions 5.x and 4.x. They have been fixed in VMware Aria Operations v8.18.3 and VMware Aria Operations for Logs v8.18.3, while users are advised to follow KB92148 for fixing affected VCF environments.
Other CSS and privilege escalation vulnerabilities
VMware Aria Operations for Logs also contains a stored cross-site scripting vulnerability (CVE-2025-22219) with an important severity rating (CVSS 6.8/10) and a privilege escalation vulnerability (CVE-2025-22220) with a medium severity rating (CVSS 4.3/10)
Another stored cross-site scripting bug (CVE-2025-22221) with a moderate severity rating (5.2/10) affects VMware Aria Operations for Logs and could allow actors with admin privilege to run malicious scripts on the victim’s browser.
All of these vulnerabilities affected the same versions of VMware Aria products and VCF as the information disclosure flaws and were fixed in the same update. Patching is the only way to fix the issue as Broadcom noted “no” workaround is available for them.
