Vulnerabilities Detected in Aria Automation 8.18.1 Patch 3
Article ID: 414747
Updated On:
Products
Issue/Introduction
Aria Automation 8.18.1 Patch 3 customers may be affected by vulnerabilities identified through security scans. This article provides guidance on verifying and resolving these vulnerabilities.
Environment
Aria Automation 8.18.1 Patch 3 and lower.
Resolution
VMware By Broadcom is aware of below CVE'S
Please refer to the release notes for existing and forthcoming product releases for any updates in relation to this CVE.
Should you require further information please contact Broadcom Support.
| CVSS V3 Base Score | CVE | Plugin Name | Fixed in Patch 3 | Fixed in Patch 4 | Note |
| 7.4 | CVE-2025-22228 | Spring Security 5.7 < 5.7.16 / 5.8 < 5.8.18 / 6.0 < 6.0.16 / 6.1 < 6.1.14 / 6.2 < 6.2.10 / 6.3 < 6.3.8 / 6.4 < 6.4.4 Authentication Bypass (CVE-2025-22228) | N/A | N/A | Not affected - Aria Automation is not using BCryptPasswordEncoder |
| 3.8 | CVE-2025-32728 | OpenSSH < 10.0 DisableForwarding | Yes | Yes | |
| 9.1 | CVE-2022-49043 | Photon OS 4.0: Libxml2 PHSA-2025-4.0-0834 | Yes | Yes | |
| CVE-2025-49794 | Photon OS 4.0: Libxml2 PHSA-2025-4.0-0834 | No | Yes | ||
| CVE-2025-49796 | Photon OS 4.0: Libxml2 PHSA-2025-4.0-0834 | No | Yes | ||
| CVE-2025-6021 | Photon OS 4.0: Libxml2 PHSA-2025-4.0-0834 | Yes | Yes | ||
| 7.5 | CVE-2025-48989 | Apache Tomcat 9.0.0.M1 < 9.0.108 | No | Yes | |
| 7.5 | CVE-2025-48060 | Photon OS 4.0: Jq PHSA-2025-4.0-0841 | No | Yes | |
| 7.8 | CVE-2025-4802 | Photon OS 4.0: Glibc PHSA-2025-4.0-0838 | No | Yes | |
| 8.2 | CVE-2025-32988,CVE-2025-32989,CVE-2025-32990,CVE-2025-6395 | Photon OS 4.0: Gnutls PHSA-2025-4.0-0854 | No | Yes | |
| 7.8 | CVE-2022-28737 | Photon OS 4.0: Shim PHSA-2025-4.0-0861 | No | Yes | |
| 7.8 | CVE-2023-4001,CVE-2024-1048,CVE-2024-45774,CVE-2024-45775,CVE-2024-45776,CVE-2024-45777,CVE-2024-45778,CVE-2024-45779,CVE-2024-45780,CVE-2024-45781,CVE-2024-45782,CVE-2024-45783,CVE-2024-56737,CVE-2025-0622,CVE-2025-0624,CVE-2025-0677,CVE-2025-0678,CVE-2025-0684,CVE-2025-0685,CVE-2025-0686,CVE-2025-0689,CVE-2025-0690,CVE-2025-1118,CVE-2025-1125 | Photon OS 4.0: Grub2 PHSA-2025-4.0-0861 | No | Yes | |
| 4.9 | CVE-2023-7207 | Photon OS 4.0: Cpio PHSA-2025-4.0-0869 | No | Yes | |
| 7.5 | CVE-2025-41249 | Spring Framework 5.3.x < 5.3.45 / 6.1.x < 6.1.23 / 6.2.x < 6.2.11 Annotation Detection Vulnerability (CVE-2025-41249) | No | Yes | A fix is tracked for Patch 4 |
| 3.3 | CVE-2025-6141 | Photon OS 4.0: Ncurses PHSA-2025-4.0-0871 | No | Yes | |
| 9.8 | CVE-2025-6965,CVE-2025-7709 | Photon OS 4.0: Sqlite PHSA-2025-4.0-0873 | No | Yes | |
| 7.8 | CVE-2025-39860 | Photon OS 4.0: Linux PHSA-2025-4.0-0874 | No | Yes |
Additional Information
Photon Issues: These will be addressed in upcoming Patch 4, which will include updates to the latest Photon build once the fixes are available.
Remaining Issues:
Aria Automation is not vulnerable to CVE-2025-22228.
We are actively working on updating the Spring Framework to a non-vulnerable version, which will be included in Patch 4.
Patch 4 Release: Patch 4 is currently in development, and an estimated release timeline is not yet available. We recommend coordinating with your SAM/TAM for updates on the release schedule.
We will continue to provide updates as more information becomes available.
Feedback
