VMware Security Alert: DOM-Based Cross-Site Scripting in Aria Automation (CVE-2025-22249)

Introduction

Broadcom has published VMSA-2025-0008 to address a newly disclosed DOM-based Cross-Site Scripting (XSS) vulnerability in VMware Aria Automation, previously known as vRealize Automation. The issue is tracked as CVE-2025-22249 and has been assigned a CVSSv3 base score of 8.2 (Important severity).

This client-side scripting flaw could allow an attacker to steal access tokens or session identifiers from authenticated users by tricking them into visiting a specially crafted URL. The vulnerability affects multiple versions of Aria Automation and products integrated with it, including VMware Cloud Foundation and Telco Cloud Platform.

For security teams responsible for Aria-based environments, especially those exposing portals to internal developers or DevOps pipelines, this vulnerability requires urgent attention.

What Is It?

CVE-2025-22249 is a DOM-based Cross-Site Scripting (XSS) vulnerability found in the user interface layer of VMware Aria Automation. DOM-based XSS occurs when malicious JavaScript is executed in the context of the victim’s browser, not due to server-side reflection, but rather by manipulating the document object model (DOM) on the client side.

In this case, a malicious actor could construct a URL that embeds executable JavaScript in a way that the Aria Automation front-end improperly parses and executes. If a logged-in user clicks on this URL, the attacker may gain access to authentication tokens, session cookies, or other in-browser sensitive data associated with the current session.

Unlike persistent XSS, this flaw is non-persistent and user-triggered, requiring active engagement by a legitimate user. However, because Aria Automation is often integrated with vSphere, NSX, and other high-privilege orchestration platforms, the impact of a successful token theft could be significant.

Why Does It Matter?

Aria Automation is frequently deployed in environments where it serves as the control plane for provisioning and managing infrastructure resources. A compromised session in this context may:

1. Allow unauthorized actions such as provisioning or deprovisioning VMs and cloud services.
2. Lead to exposure of sensitive infrastructure templates or orchestration logic.
3. Enable lateral movement into integrated systems such as vCenter, NSX, or identity providers.

Because token-based authentication mechanisms are typically short-lived and bearer-based, the attacker may not need to bypass traditional login credentials. A stolen token may be sufficient to authenticate and perform actions using the victim's session context.

This type of vulnerability is particularly relevant in internal self-service portals used by developers or engineers, where web links are regularly shared or embedded in chat platforms. In such environments, the threshold for exploitability is lower, and the blast radius of a compromised session may be large.

Risk Scenarios

A red team or external threat actor could craft a malicious URL that, when opened in a browser by a legitimate Aria Automation user, executes JavaScript in the browser context. This script may read the document.cookie value, extract access tokens from browser storage, or execute an XMLHttpRequest (XHR) to exfiltrate session metadata.

If the user has active administrative privileges, the attacker may gain immediate access to create, modify, or delete cloud resources or automation blueprints. In tightly integrated environments, the attacker could also pivot to connected identity platforms or infrastructure-as-code pipelines.

Additional scenarios include:

1. Social engineering or phishing attacks embedding a malicious link in a service ticket, chat message, or internal documentation.
2. Weaponized bookmarks or browser extensions distributing malicious URLs.
3. Abuse of internal ticketing or CI/CD workflows that integrate with Aria Automation APIs.

These attack vectors are magnified in environments where SSO or federated identity is enabled, and session tokens are used for seamless API interactions.

What Can I Do About It?

VMware has issued patched releases of Aria Automation to address this vulnerability. Security teams should apply the following versions immediately:

1. VMware Aria Automation 8.18.1 Patch 2
2. For affected versions of VMware Cloud Foundation and Telco Cloud Platform, refer to Broadcom KB 394224

Beyond patching, administrators should:

1. Review access token scopes and lifetimes, particularly for privileged user roles.
2. Inspect application logs for suspicious URL activity or signs of exploitation.
3. Revoke and reissue tokens for users in environments where the vulnerability may have been exposed.

In general, internal users should be warned against clicking unsolicited or unfamiliar links, even within trusted platforms. DOM-based XSS attacks are successful only when a user engages with an attacker-controlled URL.

Conclusion: Bottom Line

CVE-2025-22249 reflects a class of client-side vulnerabilities that can undermine identity and session integrity without breaching server-side defenses. While it does not persist or execute without user interaction, the implications of session token theft in Aria Automation are substantial, particularly in environments where automation controls have high privilege or direct infrastructure access.

Organizations running Aria Automation, Cloud Foundation, or Telco Cloud Platform should patch immediately and review exposure risk for users who may have interacted with untrusted URLs. Internal awareness and administrative token hygiene are both essential components of mitigating DOM-based XSS threats of this kind.

References

1. Broadcom Security Advisory (VMSA-2025-0008): https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25711
2. CVE-2025-22249: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22249
3. Broadcom Knowledge Base KB394224: https://knowledge.broadcom.com/external/article/394224
4. OWASP DOM XSS Guide: https://owasp.org/www-community/attacks/DOM_Based_XSS
5. VMware Aria Automation Product Page: https://www.vmware.com/products/aria-automation.html