CVE-2025-22249

Summary

VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL.

Affected Software

VendorProductVersion RangeStatus
VMwareVmware Aria Automation8.18.x < 8.18.1 patch2affected
VMwareVMware Cloud Foundation5.x < 8.18.1 patch 2affected
VMwareVMware Cloud Foundation4.x < 8.18.1 patch 2affected
VMwareVMware Telco Cloud Platform5.x < 8.18.1 patch 2affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References