CVE-2025-22225
Published: 04 March 2025
Summary
CVE-2025-22225 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Vmware Esxi. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 6.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates the vulnerability by applying vendor patches to fix the arbitrary kernel write in the VMX process.
Memory protection mechanisms like ASLR, DEP, and stack canaries prevent exploitation of the out-of-bounds write and buffer overflow in VMX leading to sandbox escape.
Process isolation strengthens VMX sandbox boundaries to block unauthorized kernel writes from privileged processes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary kernel write from VMX sandbox directly enables sandbox escape to host (T1611) and exploitation for privilege escalation to full host control (T1068).
NVD Description
VMware ESXi contains an arbitrary write vulnerability. A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.
Deeper analysisAI
CVE-2025-22225 is an arbitrary write vulnerability in VMware ESXi, specifically affecting the VMX process. A malicious actor with privileges within the VMX process can trigger an arbitrary kernel write, enabling escape from the sandbox. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-787 (Out-of-bounds Write) and CWE-123 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')).
Exploitation requires local access to the ESXi host with high privileges within the VMX process, low attack complexity, and no user interaction. Successful exploitation results in a scope change from the VMX sandbox to the host kernel, granting high-impact confidentiality, integrity, and availability compromises, such as full host takeover.
The Broadcom security advisory provides details on affected versions and patches at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390. CISA has listed CVE-2025-22225 in its Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-22225, indicating real-world exploitation by malicious actors.
This vulnerability, published on 2025-03-04, underscores the risks of VMX process privileges in virtualized environments and the urgency of applying vendor patches.
Details
- CWE(s)
- KEV Date Added
- 04 March 2025