CVE-2025-22224: VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor...
Description
VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.
Known Exploited
🚨 Marked as known exploited on March 4th, 2025 (about 2 months ago).
Classification
CVE ID: CVE-2025-22224
CVSS Base Severity: CRITICAL
CVSS Base Score: 9.3
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Problem Types
Heap-overflow vulnerabilityAffected Products
Vendor: Broadcom
Product: VMware ESXi, VMware Workstation, VMware Cloud Foundation, VMware Telco Cloud Platform, VMware Telco Cloud Infrastructure
Exploit Prediction Scoring System (EPSS)
EPSS Score: 24.22% (probability of being exploited)
EPSS Percentile: 95.63% (scored less or equal to compared to others)
EPSS Date: 2025-04-02 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-22224https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390