Out-of-Bounds Write Vulnerability in VMware ESXi and Workstation Products
CVE-2025-22224
Key Information:
- Vendor
- Vmware
- Vendor
- CVE Published:
- 4 March 2025
Badges
What is CVE-2025-22224?
CVE-2025-22224 is a vulnerability affecting VMware ESXi and Workstation products, which are widely used for virtualization, allowing users to run multiple operating systems on a single physical machine. This particular vulnerability involves an out-of-bounds write issue due to a Time-of-Check Time-of-Use (TOCTOU) flaw, which could enable an attacker with local administrative privileges on a virtual machine to execute arbitrary code in the context of the VMX process on the host. Such exploitation could lead to significant security risks for organizations by compromising the integrity of their virtualized environments.
Technical Details
The vulnerability arises from a timing-related problem in the way the software checks conditions before acting on them. This flaw allows for manipulation of memory operations that occur outside of the allocated buffer, putting the system at risk of unintentional data manipulation. Administrators looking to secure their virtual environments must understand that local access can escalate to higher privileges, potentially compromising the entire host system.
Potential Impact of CVE-2025-22224
-
Code Execution: Attackers can execute arbitrary code on the host system, which might lead to unauthorized access and control over virtual machines running critical applications.
-
Data Compromise: The exploitation of this vulnerability could enable attackers to access, modify, or delete sensitive data within the virtual environment, leading to data breaches and loss of confidentiality.
-
System Stability: As the vulnerability allows for unintended memory manipulation, it could potentially disrupt the stability of the host system, impacting overall performance and availability of virtual machines, affecting business operations.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
ESXi 8.0
ESXi 8.0
ESXi 7.0
Get notified when SecurityVulnerability.io launches alerting π
Well keep you posted π§
News Articles
CybersecurityNewsVMware Vulnerabilities Exploited Actively to Bypass Security Controls & Deploy Ransomware
A surge of ransomware attacks leveraging critical VMware virtualization vulnerabilities has triggered global alerts. Threat actors exploit flaws in ESXi, Workstation, and Fusion products to paralyze enterprise infrastructures.
Thousands of Orgs Risk Zero-Day VM Escape Attacks
More than 41,000 ESXi instances remain vulnerable to a critical VMware vulnerability, one of three that Broadcom disclosed earlier this week.
References
EPSS Score
54% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- π₯
Vulnerability reached the number 1 worldwide trending spot
- π
Vulnerability started trending
- π°
Used in Ransomware
- πΎ
Exploit known to exist
- π¦
CISA Reported
- π°
First article discovered by CybersecurityNews
Vulnerability published
Vulnerability Reserved