VMSA-2025-0008: VMware Aria automation updates address a DOM based Cross-site scripting vulnerability (CVE-2025-22249)

Vulnerability

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in VMware Aria Automation versions 8.18.x (prior to 8.18.1 patch 2), as well as in VMware Cloud Foundation (5.x, 4.x) and VMware Telco Cloud Platform (5.x) [1]. The flaw resides in the client-side code where insufficient sanitization of attacker-controlled input permits JavaScript execution within the user's browser session [1]. No special configuration is required beyond the standard product installation.

Exploitation

An unauthenticated attacker must craft a malicious payload URL and trick a logged-in user of VMware Aria Automation appliance into clicking it [1]. No additional privileges or network position are needed; the attack relies solely on social engineering to deliver the link. Once the user's browser processes the DOM, the injected script runs with the user's current session context [1].

Impact

Successful exploitation allows the attacker to steal the access token of the logged-in user [1]. This token can be reused to impersonate the victim, leading to unauthorized access to the Aria Automation appliance and potentially broader cloud infrastructure managed by the platform. The CVSSv3 base score is 8.2 (Important) [1].

Mitigation

Fixed versions are available: VMware Aria Automation 8.18.1 patch 2, and for VMware Cloud Foundation and Telco Cloud Platform, apply the patches linked in KB394224 [1]. No workarounds exist [1]. Users should upgrade to the patched release immediately.