Cyber Resilience

CVE-2025-22224

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 04 March 2025

Published
04 March 2025
Modified
30 October 2025
KEV Added
04 March 2025
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.4680 97.7th percentile
Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22224 is a critical-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Vmware Esxi. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked in the top 2.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

VMware ESXi and Workstation contain a TOCTOU vulnerability that produces an out-of-bounds write, tracked as CWE-367. The flaw resides in the hypervisor components that manage virtual-machine interactions with the host and carries a CVSS 3.1 score of 9.3.

A malicious actor who already possesses local administrative privileges inside a guest virtual machine can exploit the race condition to execute arbitrary code within the VMX process running on the host, thereby escaping the virtual-machine boundary and obtaining control over host resources.

The Broadcom security advisory at support.broadcom.com and the CISA Known Exploited Vulnerabilities catalog entry for this CVE describe available patches and recommended remediation steps for affected VMware products.

The vulnerability appears in CISA’s KEV catalog, confirming observed exploitation in the wild. Its EPSS score rose from lower values after disclosure to a peak of 0.5997 on 2026-02-18 before receding to the current 0.4680, indicating increased exploitation interest following public release.

EU & UK References

Vulnerability details

VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process…

more

running on the host.

CWE(s)
KEV Date Added
04 March 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
Why these techniques?

The TOCTOU out-of-bounds write vulnerability in the VMware hypervisor directly enables a local VM administrator to execute arbitrary code in the host VMX process, achieving escape from the guest VM to the underlying host.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22225Same product: Vmware Cloud Foundationboth on KEV
CVE-2025-22226Same product: Vmware Cloud Foundationboth on KEV
CVE-2026-22719Same product: Vmware Cloud Foundationboth on KEV
CVE-2014-6271Same product class: hypervisor / virtualizationboth on KEV
CVE-2026-41702Same vendor: Vmware
CVE-2026-22721Same product: Vmware Cloud Foundation
CVE-2026-41002Same vendor: Vmware
CVE-2026-22720Same product: Vmware Cloud Foundation
CVE-2026-32988Shared CWE-367
CVE-2025-23359Shared CWE-367

Affected Assets

vmware
esxi
7.0, 8.0
vmware
cloud foundation
all versions
vmware
telco cloud infrastructure
2.2, 2.5, 2.7, 3.0
vmware
telco cloud platform
2.0, 2.5, 2.7, 3.0, 4.0
vmware
workstation
17.0 — 17.6.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the TOCTOU vulnerability by requiring timely remediation through vendor patches for VMware ESXi and Workstation as specified in the Broadcom advisory.

prevent

Implements memory protections such as DEP and ASLR to mitigate exploitation of the out-of-bounds write for arbitrary code execution in the VMX process.

prevent

Enforces least privilege to restrict administrative access within virtual machines, hindering malicious actors from obtaining the privileges needed to trigger the vulnerability.

References