9.3

CVE-2025-22224

Warning
Media report

VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Data is provided by the National Vulnerability Database (NVD)
VMwareESXi Version7.0 Update-
VMwareESXi Version7.0 Updatebeta
VMwareESXi Version7.0 Updateupdate_1
VMwareESXi Version7.0 Updateupdate_1a
VMwareESXi Version7.0 Updateupdate_1b
VMwareESXi Version7.0 Updateupdate_1c
VMwareESXi Version7.0 Updateupdate_1d
VMwareESXi Version7.0 Updateupdate_1e
VMwareESXi Version7.0 Updateupdate_2
VMwareESXi Version7.0 Updateupdate_2a
VMwareESXi Version7.0 Updateupdate_2c
VMwareESXi Version7.0 Updateupdate_2d
VMwareESXi Version7.0 Updateupdate_2e
VMwareESXi Version7.0 Updateupdate_3
VMwareESXi Version7.0 Updateupdate_3c
VMwareESXi Version7.0 Updateupdate_3d
VMwareESXi Version7.0 Updateupdate_3e
VMwareESXi Version7.0 Updateupdate_3f
VMwareESXi Version7.0 Updateupdate_3g
VMwareESXi Version7.0 Updateupdate_3i
VMwareESXi Version7.0 Updateupdate_3j
VMwareESXi Version7.0 Updateupdate_3k
VMwareESXi Version7.0 Updateupdate_3l
VMwareESXi Version7.0 Updateupdate_3m
VMwareESXi Version7.0 Updateupdate_3n
VMwareESXi Version7.0 Updateupdate_3o
VMwareESXi Version7.0 Updateupdate_3p
VMwareESXi Version7.0 Updateupdate_3q
VMwareESXi Version7.0 Updateupdate_3r
VMwareESXi Version8.0 Update-
VMwareESXi Version8.0 Updatea
VMwareESXi Version8.0 Updateb
VMwareESXi Version8.0 Updatec
VMwareESXi Version8.0 Updateupdate_1
VMwareESXi Version8.0 Updateupdate_1a
VMwareESXi Version8.0 Updateupdate_1c
VMwareESXi Version8.0 Updateupdate_1d
VMwareESXi Version8.0 Updateupdate_2
VMwareESXi Version8.0 Updateupdate_2b
VMwareESXi Version8.0 Updateupdate_2c
VMwareESXi Version8.0 Updateupdate_3
VMwareESXi Version8.0 Updateupdate_3b
VMwareESXi Version8.0 Updateupdate_3c
VMwareCloud Foundation Version-
VMwareTelco Cloud Platform Version2.0
VMwareTelco Cloud Platform Version2.5
VMwareTelco Cloud Platform Version2.7
VMwareTelco Cloud Platform Version3.0
VMwareTelco Cloud Platform Version4.0
VMwareTelco Cloud Platform Version4.0.1
VMwareTelco Cloud Platform Version5.0
VMwareWorkstation Version >= 17.0 < 17.6.3

04.03.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

VMware ESXi and Workstation TOCTOU Race Condition Vulnerability

Vulnerability

VMware ESXi and Workstation contain a time-of-check time-of-use (TOCTOU) race condition vulnerability that leads to an out-of-bounds write. Successful exploitation enables an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host.

Description

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Required actions
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 52.41% 0.978
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.2 1.5 6
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
security@vmware.com 9.3 2.5 6
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.