CVE-2025-22224
Published: 04 March 2025
Summary
CVE-2025-22224 is a critical-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Vmware Esxi. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked in the top 2.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Deeper analysis
VMware ESXi and Workstation contain a TOCTOU vulnerability that produces an out-of-bounds write, tracked as CWE-367. The flaw resides in the hypervisor components that manage virtual-machine interactions with the host and carries a CVSS 3.1 score of 9.3.
A malicious actor who already possesses local administrative privileges inside a guest virtual machine can exploit the race condition to execute arbitrary code within the VMX process running on the host, thereby escaping the virtual-machine boundary and obtaining control over host resources.
The Broadcom security advisory at support.broadcom.com and the CISA Known Exploited Vulnerabilities catalog entry for this CVE describe available patches and recommended remediation steps for affected VMware products.
The vulnerability appears in CISA’s KEV catalog, confirming observed exploitation in the wild. Its EPSS score rose from lower values after disclosure to a peak of 0.5997 on 2026-02-18 before receding to the current 0.4680, indicating increased exploitation interest following public release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7603
Vulnerability details
VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process…
more
running on the host.
- CWE(s)
- KEV Date Added
- 04 March 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The TOCTOU out-of-bounds write vulnerability in the VMware hypervisor directly enables a local VM administrator to execute arbitrary code in the host VMX process, achieving escape from the guest VM to the underlying host.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the TOCTOU vulnerability by requiring timely remediation through vendor patches for VMware ESXi and Workstation as specified in the Broadcom advisory.
Implements memory protections such as DEP and ASLR to mitigate exploitation of the out-of-bounds write for arbitrary code execution in the VMX process.
Enforces least privilege to restrict administrative access within virtual machines, hindering malicious actors from obtaining the privileges needed to trigger the vulnerability.