What’s The Problem?
This week a security announcement was published from Broadcom: VMSA-2025-0008: VMware Aria automation updates address a DOM based Cross-site scripting vulnerability (CVE-2025-22249)
Affecting 3 products (VMware Aria Automation, VMware Cloud Foundation, VMware Telco Cloud Platform) with a CVSS Base Score of 8.2 I was working with a number of customers that wanted the provided patch applied as soon as possible. Not a problem, we’ve done this before! Now here is where it gets interesting. The patch application method was one that I was familiar with, however, once the patch was applied the build version had not changed!
Investigation
Reviewing the UI I couldn’t see any changes, except for one place which was via Lifecycle Manager, the environment containing Automation and then viewing the Patch history

Figure1: Automation Patch History
Getting on to one of the nodes, I used the vracli to check the version.
vracli version – this command showed me the version that I was at prior to patching
vracli version patch – showed the patch version
Outcome
So, the patch is applied, but does not show in the UI as I would expect it to. Anyone else seeing this ?