What’s The Problem?

This week a security announcement was published from Broadcom: VMSA-2025-0008: VMware Aria automation updates address a DOM based Cross-site scripting vulnerability (CVE-2025-22249)

Affecting 3 products (VMware Aria Automation, VMware Cloud Foundation, VMware Telco Cloud Platform) with a CVSS Base Score of 8.2 I was working with a number of customers that wanted the provided patch applied as soon as possible. Not a problem, we’ve done this before! Now here is where it gets interesting. The patch application method was one that I was familiar with, however, once the patch was applied the build version had not changed!

Investigation

Reviewing the UI I couldn’t see any changes, except for one place which was via Lifecycle Manager, the environment containing Automation and then viewing the Patch history

Figure1: Automation Patch History

Getting on to one of the nodes, I used the vracli to check the version.

vracli version – this command showed me the version that I was at prior to patching

vracli version patch – showed the patch version

Outcome

So, the patch is applied, but does not show in the UI as I would expect it to. Anyone else seeing this ?

paul_davey

CIO at Sonar, Automation Practice Lead at Xtravirt and guitarist in The Waders. Loves IT, automation, programming, music