Broadcom has issued a critical security advisory regarding a high-severity DOM-based Cross-Site Scripting (XSS) vulnerability in VMware Aria automation products. The vulnerability, identified as CVE-2025-22249, could allow attackers to steal access tokens from logged-in users, potentially compromising user accounts and granting unauthorized system access.
Assigned a CVSSv3 base score of 8.2, this vulnerability was disclosed on May 12, 2025, through security advisory VMSA-2025-0008. Researchers have found that the flaw exists in the Document Object Model (DOM) implementation of VMware Aria automation, enabling attackers to inject malicious JavaScript code into users’ browsers.
Exploitation Path
According to the advisory, a malicious actor could exploit this vulnerability by tricking a user into clicking a specially crafted URL that contains a malicious payload. This attack vector relies on social engineering to convince users to interact with the harmful URL while they are logged into the VMware Aria automation platform.
Notably, the exploitation does not require system authentication, but it does require user interaction. Once the user clicks on the malicious link, the injected code can capture the authentication tokens and send them to an attacker-controlled server, resulting in unauthorized access to the system.
Affected Products and Patches
Several VMware products are impacted by this vulnerability. Broadcom has already issued patches to resolve the issue:
| Product | Affected Versions | Fixed Version / Patch |
|---|---|---|
| VMware Aria Automation | 8.18.x and earlier | 8.18.1 patch 2 |
| VMware Cloud Foundation | 4.x, 5.x | See KB394224 |
| VMware Telco Cloud Platform | 5.x | 8.18.1 patch 2 |
This vulnerability adds to a growing list of security concerns for VMware products, following the recent critical VMware ESXi vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) disclosed earlier this year. These vulnerabilities were actively exploited in the wild.
Recommendations and Precautions
Security experts advise organizations to apply the patches immediately, as no workarounds are available for this vulnerability. While no public proof-of-concept or active exploitation has been reported, DOM-based XSS vulnerabilities are typically straightforward to exploit once discovered.
In addition to applying the patches, organizations are encouraged to take the following precautions:
- Implement web application firewalls (WAF) with XSS protection capabilities.
- Train users to recognize suspicious links and phishing attempts.
- Enable multi-factor authentication (MFA) wherever possible.
- Regularly audit system access logs for any unauthorized activity.
This vulnerability was privately reported to VMware by security researcher Bartosz Reginiak, highlighting the importance of responsible vulnerability disclosure in securing enterprise systems.
Conclusion
The discovery of this DOM-based XSS vulnerability underscores the ongoing challenges faced by organizations in securing complex enterprise software ecosystems. Timely patching remains the most effective defense against such vulnerabilities, especially when no workarounds exist.
