VMware plugs steal-my-credentials holes in Cloud Foundation

Broadcom has fixed five flaws, collectively deemed "high severity," in VMware's IT operations and log management tools within Cloud Foundation, including two information disclosure bugs that could lead to credential leakage under certain conditions.

All five have patches available. Broadcom's security advisory doesn't note any in-the-wild exploits, yet.

We note that exploitation requires authorized access to vulnerable deployments, so if these are successfully abused in the wild, it'll most likely be through compromised or rogue accounts.

The CVEs affect Aria Operations, used for managing IT operations across different environments, and Aria Operations for Logs, which is a tool for storing and analyzing log data. Both are pieces of VMware Cloud Foundation, meaning the bugs also affect versions 4.x and 5.x of the hybrid cloud platform.

Specifically: Four of the vulnerabilities (CVE-2025-22218, CVE-2025-22219, CVE-2025-22220, and CVE-2025-22221) affect VMware Aria Operations for Logs versions 8 and newer, and one (CVE-2025-22222) affects the same versions of VMware Aria Operations. Updating both products to v8.18.3 will fix the issue. VMware Cloud Foundation users can follow KB92148 to apply the necessary fixes. 

The most severe of the bunch is CVE-2025-22218, an 8.5-rated information disclosure vulnerability in VMware Aria Operations for Logs.

"A malicious actor with View Only Admin permissions may be able to read the credentials of a VMware product integrated with VMware Aria Operations for Logs," according to the security alert.

The single bug affecting VMware Aria Operations, CVE-2025-22222, is also an information disclosure vulnerability and it received a 7.7 CVSS severity rating. 

Someone with non-admin privileges can exploit this bug and steal credentials for an outbound plugin so long as they have — or have stolen — a valid service credential ID.

• Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble
• Russians invade Microsoft exec mail while China jabs at VMware vCenter Server
• Fear of the unknown keeps Broadcom's VMware herd captive. Don't be cowed
• Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management

The flaws fixed today in VMware Aria Operations for Logs also include two stored cross-site scripting (XSS) vulnerabilities: CVE-2025-22219 and CVE-2025-22221, which received a 6.8 and 5.2 CVSS rating, respectively.

Both can be abused to inject malicious scripts into the application, which is then executed in the victim's browser. CVE-2025-22219 doesn't require administrative privileges to exploit and may lead to arbitrary operations as an admin-level user. 

An attacker does, however, need admin privileges to abuse CVE-2025-22221. But if they do, they can inject a malicious script to be executed in a victim's browser when performing a delete action in the agent configuration.

And finally, there's a 4.3-rated privilege-escalation vulnerability, tracked as CVE-2025-22220. This one allows a user with network access to Aria Operations for Logs API to perform certain operations that would otherwise require administrative privileges.

Broadcom credited Maxime Escourbiac from Michelin CERT, and Yassine Bengana and Quentin Ebel from Abicom for spotting and disclosing the five vulnerabilities.

Both nation-state snoops and financially motivated criminals alike love exploiting VMware bugs because of the virtualization software's ubiquitous use across major enterprises and governments. Given this history as a prime target, it's perhaps a good idea to put these patches on the near-term todo list even if they are fairly heavily caveated. ®