CVE-2025-22225
Published: 04 March 2025
Summary
CVE-2025-22225 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Vmware Esxi. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 6.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
VMware ESXi contains an arbitrary write vulnerability tracked as CVE-2025-22225. The flaw resides in the VMX process and is associated with CWE-787 and CWE-123. It received a CVSS 3.1 score of 8.2 reflecting local attack vector, low complexity, high privileges required, and changed scope with high impact on confidentiality, integrity, and availability.
An attacker who already possesses privileges inside the VMX process can trigger an arbitrary kernel write. Successful exploitation allows the attacker to escape the sandbox and gain elevated access on the underlying ESXi host.
The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation. Broadcom has published an advisory at the referenced support portal. The EPSS score has remained near 0.1 with only a minor peak of 0.1023 and does not show a material post-disclosure climb.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7604
Vulnerability details
VMware ESXi contains an arbitrary write vulnerability. A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.
- CWE(s)
- KEV Date Added
- 04 March 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary kernel write from VMX sandbox directly enables sandbox escape to host (T1611) and exploitation for privilege escalation to full host control (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly mitigates the vulnerability by applying vendor patches to fix the arbitrary kernel write in the VMX process.
Memory protection mechanisms like ASLR, DEP, and stack canaries prevent exploitation of the out-of-bounds write and buffer overflow in VMX leading to sandbox escape.
Process isolation strengthens VMX sandbox boundaries to block unauthorized kernel writes from privileged processes.