CVE-2025-22224
Published: 04 March 2025
Summary
CVE-2025-22224 is a critical-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Vmware Esxi. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked in the top 2.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the TOCTOU vulnerability by requiring timely remediation through vendor patches for VMware ESXi and Workstation as specified in the Broadcom advisory.
Implements memory protections such as DEP and ASLR to mitigate exploitation of the out-of-bounds write for arbitrary code execution in the VMX process.
Enforces least privilege to restrict administrative access within virtual machines, hindering malicious actors from obtaining the privileges needed to trigger the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The TOCTOU out-of-bounds write vulnerability in the VMware hypervisor directly enables a local VM administrator to execute arbitrary code in the host VMX process, achieving escape from the guest VM to the underlying host.
NVD Description
VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process…
more
running on the host.
Deeper analysisAI
CVE-2025-22224 is a Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMware ESXi and Workstation that results in an out-of-bounds write. This flaw, associated with CWE-367, carries a CVSS v3.1 base score of 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and was published on 2025-03-04.
A malicious actor with local administrative privileges on a virtual machine can exploit this vulnerability to execute arbitrary code as the virtual machine's VMX process running on the host, potentially leading to full compromise of the hypervisor environment.
Mitigation details are available in the Broadcom security advisory at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-22224, indicating active exploitation in the wild.
Details
- CWE(s)
- KEV Date Added
- 04 March 2025