Cyber Resilience

CVE-2025-22225

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 04 March 2025

Published
04 March 2025
Modified
30 October 2025
KEV Added
04 March 2025
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0978 93.1th percentile
Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22225 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Vmware Esxi. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 6.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

VMware ESXi contains an arbitrary write vulnerability tracked as CVE-2025-22225. The flaw resides in the VMX process and is associated with CWE-787 and CWE-123. It received a CVSS 3.1 score of 8.2 reflecting local attack vector, low complexity, high privileges required, and changed scope with high impact on confidentiality, integrity, and availability.

An attacker who already possesses privileges inside the VMX process can trigger an arbitrary kernel write. Successful exploitation allows the attacker to escape the sandbox and gain elevated access on the underlying ESXi host.

The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation. Broadcom has published an advisory at the referenced support portal. The EPSS score has remained near 0.1 with only a minor peak of 0.1023 and does not show a material post-disclosure climb.

EU & UK References

Vulnerability details

VMware ESXi contains an arbitrary write vulnerability. A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.

CWE(s)
KEV Date Added
04 March 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
Why these techniques?

Arbitrary kernel write from VMX sandbox directly enables sandbox escape to host (T1611) and exploitation for privilege escalation to full host control (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22224Same product: Vmware Cloud Foundationboth on KEV
CVE-2025-22226Same product: Vmware Cloud Foundationboth on KEV
CVE-2026-22719Same product: Vmware Cloud Foundationboth on KEV
CVE-2026-22721Same product: Vmware Cloud Foundation
CVE-2026-22720Same product: Vmware Cloud Foundation
CVE-2014-6271Same product class: hypervisor / virtualizationboth on KEV
CVE-2025-41244Same product: Vmware Cloud Foundationboth on KEV
CVE-2025-22219Same product: Vmware Cloud Foundation
CVE-2026-41702Same vendor: Vmware
CVE-2026-40968Same vendor: Vmware

Affected Assets

vmware
esxi
7.0, 8.0
vmware
cloud foundation
all versions
vmware
telco cloud infrastructure
2.2, 2.5, 2.7, 3.0
vmware
telco cloud platform
2.0, 2.5, 2.7, 3.0, 4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates the vulnerability by applying vendor patches to fix the arbitrary kernel write in the VMX process.

prevent

Memory protection mechanisms like ASLR, DEP, and stack canaries prevent exploitation of the out-of-bounds write and buffer overflow in VMX leading to sandbox escape.

prevent

Process isolation strengthens VMX sandbox boundaries to block unauthorized kernel writes from privileged processes.

References