ESXi
CVE-2025-22224
CRITICAL
Severity by source
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.
AnalysisAI
VMware ESXi and Workstation contain a TOCTOU race condition leading to out-of-bounds write, allowing local administrators on VMs to escape the sandbox and execute code as the VMX process on the host.
Technical ContextAI
The CWE-367 TOCTOU race condition in the VM communication mechanism allows a malicious VM administrator to win a race between validation and use of shared data, triggering an out-of-bounds write that corrupts VMX process memory on the host.
RemediationAI
Apply VMware security patches. Restrict VM admin access. Monitor ESXi hosts for anomalous VMX process behavior. Implement vSphere Hardening Guide recommendations.
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of
Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 t
VMware ESXi contains an arbitrary write vulnerability that allows privileged VMX process users to trigger kernel writes,
VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability via HGFS out-of-bounds read, allowi
OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. Rated critical severity (CVSS 9.8),
In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used
VMware ESXi (ESXi 6.5 without patch ESXi650-201707101-SG), Workstation (12.x before 12.5.7) and Fusion (8.x before 8.5.8
The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated, remote attacker to register arbitrary services.
The Virtual Machine Communication Interface (VMCI) implementation in vmci.sys in VMware Workstation 8.x before 8.0.5 and
VMware ESXi (6.5 before ESXi650-201710401-BG), Workstation (12.x before 12.5.8), and Fusion (8.x before 8.5.9) contain a
VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi
VMware vCenter Server 4.0 before Update 4b and 4.1 before Update 3a, VMware VirtualCenter 2.5, VMware vSphere Client 4.0
Same technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today