Out-of-Bounds Write Vulnerability in VMware ESXi and Workstation Products
CVE-2025-22224
Key Information:
- Vendor
Vmware
- Vendor
- CVE Published:
- 4 March 2025
Badges
What is CVE-2025-22224?
CVE-2025-22224 is a vulnerability affecting VMware ESXi and Workstation products, which are widely used for virtualization, allowing users to run multiple operating systems on a single physical machine. This particular vulnerability involves an out-of-bounds write issue due to a Time-of-Check Time-of-Use (TOCTOU) flaw, which could enable an attacker with local administrative privileges on a virtual machine to execute arbitrary code in the context of the VMX process on the host. Such exploitation could lead to significant security risks for organizations by compromising the integrity of their virtualized environments.
Technical Details
The vulnerability arises from a timing-related problem in the way the software checks conditions before acting on them. This flaw allows for manipulation of memory operations that occur outside of the allocated buffer, putting the system at risk of unintentional data manipulation. Administrators looking to secure their virtual environments must understand that local access can escalate to higher privileges, potentially compromising the entire host system.
Potential Impact of CVE-2025-22224
-
Code Execution: Attackers can execute arbitrary code on the host system, which might lead to unauthorized access and control over virtual machines running critical applications.
-
Data Compromise: The exploitation of this vulnerability could enable attackers to access, modify, or delete sensitive data within the virtual environment, leading to data breaches and loss of confidentiality.
-
System Stability: As the vulnerability allows for unintended memory manipulation, it could potentially disrupt the stability of the host system, impacting overall performance and availability of virtual machines, affecting business operations.
CISA has reported CVE-2025-22224
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-22224 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
ESXi 8.0
ESXi 8.0
ESXi 7.0
News Articles
BornCityCVE-2025-22224Over 37,000 VMware ESXi servers vulnerable via CVE-2025-22224 | Born's Tech and Windows World
[German]This week, VMware by Broadcom has released security updates for various products, including VMware ESXi servers, to close security gaps. One vulnerability has already been exploited as a 0-day. Now...
2 days ago
0-day vulnerabilities in VMWare ESXi, Workstation and Fusion | Born's Tech and Windows World
[German]As of March 4, 2025, VMware by Broadcom has published a security advisory to warn of three zero-day vulnerabilities CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226) that have already been exploited...
4 days ago
Cyber PressVMware ESXi and vCenter Flaw Enables Arbitrary Command Execution
Now a Broadcom company, VMware has released urgent security updates to address several high-severity vulnerabilities
References
EPSS Score
37% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- π₯
Vulnerability reached the number 1 worldwide trending spot
- π
Vulnerability started trending
- π°
Used in Ransomware
- πΎ
Exploit known to exist
- π¦
CISA Reported
- π°
First article discovered by CybersecurityNews
Vulnerability published
Vulnerability Reserved