CVE-2025-21571
Published: 21 January 2025
Summary
CVE-2025-21571 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Oracle Vm Virtualbox. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely application of patches for affected VirtualBox versions, addressing the core flaw remediation.
Enforces least privilege to limit high-privileged (PR:H) local attackers' ability to exploit incorrect permission assignments on critical VirtualBox resources.
Mandates enforcement of approved access control policies, countering CWE-732 incorrect permission assignments in VirtualBox core that enable unauthorized data access and partial DoS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local vulnerability due to incorrect permissions (CWE-732) in VirtualBox core, exploitable by high-privileged attacker with logon access to compromise the application with scope change, data modification, and DoS impacts; directly maps to exploitation for privilege escalation on the host.
NVD Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.24 and prior to 7.1.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM…
more
VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L).
Deeper analysisAI
CVE-2025-21571 is a vulnerability in the Core component of Oracle VM VirtualBox, part of Oracle Virtualization. Supported versions affected by this issue are those prior to 7.0.24 and prior to 7.1.6. The vulnerability is associated with CWE-732 (Incorrect Permission Assignment for Critical Resource) and carries a CVSS 3.1 base score of 7.3, with impacts to confidentiality, integrity, and availability.
The vulnerability is easily exploitable by a high privileged attacker who has logon access to the infrastructure where Oracle VM VirtualBox executes. Such an attacker can compromise Oracle VM VirtualBox, and while the flaw resides in VirtualBox, exploitation may significantly impact additional products due to a change in scope. Successful attacks can result in unauthorized creation, deletion, or modification of critical data or all Oracle VM VirtualBox accessible data, unauthorized read access to a subset of Oracle VM VirtualBox accessible data, and unauthorized ability to cause a partial denial of service of Oracle VM VirtualBox. The CVSS vector is CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L.
The Oracle security advisory provides details on mitigation, available at https://www.oracle.com/security-alerts/cpujan2025.html.
Details
- CWE(s)