Cyber Posture

CVE-2025-22218

High

Published: 30 January 2025

Published
30 January 2025
Modified
14 May 2025
KEV Added
Patch
CVSS Score 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0051 66.3th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22218 is a high-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Vmware Aria Operations For Logs. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked in the top 33.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unsecured Credentials (T1552). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match
prevent

Enforces least privilege to ensure View Only Admin permissions do not allow access to sensitive credentials of integrated VMware products.

AC-3 Access Enforcement good match
prevent

Requires systems to enforce approved authorizations, directly preventing low-privilege users from reading disclosed credentials.

AU-13 Monitoring for Information Disclosure good match
detect

Monitors for unauthorized disclosure of sensitive information like credentials, enabling identification of exploitation attempts by View Only Admin users.

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Vulnerability directly enables reading of integrated product credentials via information disclosure, mapping to Unsecured Credentials (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

VMware Aria Operations for Logs contains an information disclosure vulnerability. A malicious actor with View Only Admin permissions may be able to read the credentials of a VMware product integrated with VMware Aria Operations for Logs

Deeper analysisAI

CVE-2025-22218 is an information disclosure vulnerability (CWE-209) in VMware Aria Operations for Logs. A malicious actor with View Only Admin permissions may be able to read the credentials of a VMware product integrated with VMware Aria Operations for Logs. The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) and was published on 2025-01-30.

Attackers require View Only Admin permissions (low privilege requirement) to exploit this issue remotely over the network, though it demands high attack complexity and no user interaction. Successful exploitation allows disclosure of sensitive credentials from integrated VMware products, with cross-scope impact that could enable broader compromise given the high confidentiality, integrity, and availability effects rated in the CVSS vector.

Security practitioners should consult the Broadcom security advisory at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25329 for details on patches, workarounds, and mitigation guidance.

Details

CWE(s)
CWE-209

Affected Products

vmware
aria operations for logs
8.0 — 8.18.3
vmware
cloud foundation
4.0 — 5.2

CVEs Like This One

CVE-2025-22219Same product: Vmware Aria Operations For Logs
CVE-2025-22222Same product: Vmware Cloud Foundation
CVE-2025-31141Shared CWE-209
CVE-2024-12380Shared CWE-209
CVE-2025-22225Same product: Vmware Cloud Foundation
CVE-2026-22719Same product: Vmware Cloud Foundation
CVE-2026-22720Same product: Vmware Cloud Foundation
CVE-2026-22721Same product: Vmware Cloud Foundation
CVE-2025-22224Same product: Vmware Cloud Foundation
CVE-2025-22226Same product: Vmware Cloud Foundation

References